DevSecOps
SBOM Review in Pull Request Workflows
An SBOM that arrives after merge is a compliance artifact. An SBOM that shows up in the PR is a security control. Here is how to wire it up without killing velocity.
Jan 28, 20266 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
An SBOM that arrives after merge is a compliance artifact. An SBOM that shows up in the PR is a security control. Here is how to wire it up without killing velocity.
Compromised npm tokens pushed crypto-miner versions of @rspack/core and @rspack/cli in December 2024. Timeline, payload, and what downstream teams missed.
Prompt caching and engine memoisation combine to make Griffin AI scans repeat-cheap. Pure-LLM tools recompute the same reasoning on every run.
A senior engineer's 2026 playbook for hardening Azure DevOps against the supply chain attacks that actually happen: extensions, service connections, and template injection.
Retrieval-augmented generation systems are where enterprise AI meets enterprise data, and where most security rollouts stumble. A catalog of the antipatterns we keep seeing.
Getting the CWE right is not a taxonomic hobby. It drives remediation, compliance mapping, and detection engineering. Here is how grounded and pure-LLM scanners compare.
Qwen's open-weight models have strong code benchmarks. We dig into how they compare to Griffin AI when the workflow is real code security, not just leetcode.
A practical look at Cilium Tetragon for Kubernetes runtime security, what eBPF gives you that audit logs do not, and where Tetragon fits in a real stack.
Weekly insights on software supply chain security, delivered to your inbox.