DevSecOps
Zero Trust for CI/CD Pipelines: A Concrete Blueprint
CI/CD runners are a top attacker target. Here's a concrete zero-trust blueprint using OIDC federation, pinned action SHAs, and short-lived identities.
Mar 24, 20268 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
CI/CD runners are a top attacker target. Here's a concrete zero-trust blueprint using OIDC federation, pinned action SHAs, and short-lived identities.
SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.
A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?
SBOMs are a compliance table-stakes artifact in 2026. Here is a production GitHub Actions workflow that generates, signs, and attests a CycloneDX SBOM on every release.
Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.
A March 2025 GitHub Action compromise rewrote every tagged version to leak secrets. Here is the timeline, attack chain, and what repos need to change.
How a GitHub Actions cache poisoning attack pushed a crypto miner into Ultralytics 8.3.41 on PyPI, and what engineering teams should actually change.
Attackers compromised the popular tj-actions/changed-files GitHub Action, injecting credential-stealing code that affected over 23,000 repositories. A textbook software supply chain attack.
Researchers disclosed techniques to poison GitHub Actions artifacts, enabling code execution in CI/CD pipelines of downstream projects. The attack exploits trust assumptions in artifact sharing.
Weekly insights on software supply chain security, delivered to your inbox.