https://cyberforge.agency/en/blog CI/CD pipeline security, DORA and NIS2 regulations, DevSecOps tools — written for CTOs and engineers. en Wed, 25 Mar 2026 15:05:30 GMT https://cyberforge.agency/og-image.png https://cyberforge.agency/en/ https://cyberforge.agency/en/posts/policy-as-code-opa https://cyberforge.agency/en/posts/policy-as-code-opa Most organizations have security policies. Few have mechanisms that actually enforce them. The difference becomes apparent during an incident. Wed, 18 Mar 2026 00:00:00 GMT Tools kontakt@cyberforge.agency (Szymon Mytych) https://cyberforge.agency/en/posts/zero-trust-in-devsecops https://cyberforge.agency/en/posts/zero-trust-in-devsecops Zero Trust is a security architecture based on the assumption that no user, system or network should be trusted by default. Tue, 17 Mar 2026 00:00:00 GMT Fundamentals kontakt@cyberforge.agency (Szymon Mytych) https://cyberforge.agency/en/posts/devsecops-without-slowing-teams https://cyberforge.agency/en/posts/devsecops-without-slowing-teams Most negative experiences with implementing security in pipelines stem from implementation errors, not from the DevSecOps idea itself. Mon, 16 Mar 2026 00:00:00 GMT Practice kontakt@cyberforge.agency (Szymon Mytych) https://cyberforge.agency/en/posts/enterprise-security-questionnaire https://cyberforge.agency/en/posts/enterprise-security-questionnaire VRA blocks the contract. Analysts look for answer consistency, knowledge of your environment and evidence — not declarations. Sun, 15 Mar 2026 00:00:00 GMT Business kontakt@cyberforge.agency (Michał Jaśniewski) https://cyberforge.agency/en/posts/oidc-replacing-tokens https://cyberforge.agency/en/posts/oidc-replacing-tokens Static API keys and cloud access tokens in pipelines are one of the most common attack vectors. The problem is structural. Sat, 14 Mar 2026 00:00:00 GMT Security kontakt@cyberforge.agency (Szymon Mytych) https://cyberforge.agency/en/posts/cost-of-data-breaches-cicd https://cyberforge.agency/en/posts/cost-of-data-breaches-cicd IBM, Verizon, GitGuardian — what the data says about security incident costs and why companies selling to Enterprise pay double. Fri, 13 Mar 2026 00:00:00 GMT Business kontakt@cyberforge.agency (Michał Jaśniewski) https://cyberforge.agency/en/posts/github-actions-configuration-mistakes https://cyberforge.agency/en/posts/github-actions-configuration-mistakes GITHUB_TOKEN with write on everything, actions without SHA pinning, secrets in logs — 10 mistakes that co-occur and reinforce each other. Thu, 12 Mar 2026 00:00:00 GMT Practice kontakt@cyberforge.agency (Szymon Mytych) https://cyberforge.agency/en/posts/evidence-pack-what-it-is https://cyberforge.agency/en/posts/evidence-pack-what-it-is An Evidence Pack is the technical documentation that proves your pipeline security controls actually work — not just that you claim they do. Wed, 11 Mar 2026 00:00:00 GMT Fundamentals kontakt@cyberforge.agency (Michał Jaśniewski) https://cyberforge.agency/en/posts/sbom-what-it-is https://cyberforge.agency/en/posts/sbom-what-it-is Software Bill of Materials describes what software is built from. Regulations and Enterprise requirements mean its absence blocks sales. Tue, 10 Mar 2026 00:00:00 GMT Tools kontakt@cyberforge.agency (Szymon Mytych) https://cyberforge.agency/en/posts/soc2-pipeline-requirements https://cyberforge.agency/en/posts/soc2-pipeline-requirements SOC 2 auditors increasingly examine CI/CD pipelines. Here's what they look for and how to prepare. Mon, 09 Mar 2026 00:00:00 GMT Regulations kontakt@cyberforge.agency (Michał Jaśniewski) https://cyberforge.agency/en/posts/secret-leaks-github-actions https://cyberforge.agency/en/posts/secret-leaks-github-actions Secrets in pipelines leak regularly — often not through attacks but through configuration errors that exist for years. Sun, 08 Mar 2026 00:00:00 GMT Security kontakt@cyberforge.agency (Szymon Mytych) https://cyberforge.agency/en/posts/vendor-risk-assessment-guide https://cyberforge.agency/en/posts/vendor-risk-assessment-guide VRA questionnaires are getting longer and more technical. Here's what security analysts look for and how to respond effectively. Sat, 07 Mar 2026 00:00:00 GMT Business kontakt@cyberforge.agency (Michał Jaśniewski) https://cyberforge.agency/en/posts/artifact-signing-cosign https://cyberforge.agency/en/posts/artifact-signing-cosign Between build and production deployment an artifact can be replaced. Without integrity verification — there is no way to detect it. Fri, 06 Mar 2026 00:00:00 GMT Security kontakt@cyberforge.agency (Szymon Mytych) https://cyberforge.agency/en/posts/nis2-supply-chain-security https://cyberforge.agency/en/posts/nis2-supply-chain-security NIS2 requires auditing software suppliers. If you deliver software to entities covered by the directive — you must prove supply chain security. Thu, 05 Mar 2026 00:00:00 GMT Regulations kontakt@cyberforge.agency (Michał Jaśniewski) https://cyberforge.agency/en/posts/dora-pipeline-requirements https://cyberforge.agency/en/posts/dora-pipeline-requirements DORA requires ICT security controls including CI/CD systems. If you sell software to financial institutions — your pipeline is in scope. Wed, 04 Mar 2026 00:00:00 GMT Regulations kontakt@cyberforge.agency (Michał Jaśniewski) https://cyberforge.agency/en/posts/hardening-cicd-what-it-is https://cyberforge.agency/en/posts/hardening-cicd-what-it-is Your CI/CD pipeline holds production keys — but it's secured like a dev tool. What is hardening and why do companies ignore it? Tue, 03 Mar 2026 00:00:00 GMT Fundamentals kontakt@cyberforge.agency (Szymon Mytych)