Trust isn't a state. It's a loop.
Safeguard is built as one continuous lifecycle: every artifact moves through Source → Assemble → Distribute → Procure, and each stage feeds the next. Legacy SCA fires once at PR time and goes silent. We close the loop.
Assess vendor risk and validate components before intake
Build, scan, and generate SBOMs with security gates
Monitor runtime, detect drift, and deliver securely
Enforce compliance and manage third-party risk
Why a lifecycle, not a one-shot scan?
Legacy SCA fires once at PR time. It tells you whether that build was clean, then goes silent. The problem: a package that was clean on Tuesday becomes the tj-actions compromise on Wednesday, the xz-utils backdoor three months later, and the polyfill.io CDN takeover next quarter. The trust posture of every component has to be re-evaluated continuously.
The Continuous Trust Lifecycle codifies that. Each stage has its own policy gates, its own products, and its own attestations. When a CVE lands upstream, the loop catches it at the affected stage; when an attestation expires, the loop forces a rebuild; when an agent commits unreviewed code, the loop catches it before Source.
Four stages, every loop
Click any product to see how it delivers the stage's capabilities.
Source
Continuous Sourcing
Every component that enters your stack is risk-scored, attested, and policy-gated before it gets near a build. Vendor SBOMs, OSS dependencies, and AI-suggested packages all flow through the same intake.
AI agents commit dependencies you've never reviewed. Typosquats land in production by the second build.
Assemble
Continuous Integration
Every build emits a signed SBOM, runs through 100-layer reachability + taint analysis, and is blocked at the policy gate if a reachable critical, missing license, or unattested transitive shows up.
Vulnerable dependencies ship to production. Engineers find them 45 days later.
Distribute
Continuous Deployment
Runtime telemetry compares the deployed artifact against its attested SBOM. Drift — an unexpected binary, a syscall that doesn't match the build profile, an outbound connection that isn't on the allowlist — fires within seconds and rolls back via policy.
An attacker replaces a running binary after deployment and you never see it. Drift is silent for 287 days.
Procure
Continuous Compliance
Every artifact and every vendor relationship carries continuous evidence — SOC 2, ISO 27001, FedRAMP HIGH, EU CRA, DORA, DPDP — exportable on demand. Quarterly audit prep collapses to a query, and contract controls feed back into Source.
Audit prep eats 6 weeks per quarter. A failed control mid-cycle blocks a $12M contract.
How the loop caught tj-actions in 1.7 hours
The March 2025 tj-actions/changed-files compromise exposed CI secrets across 218 public repositories before GitHub revoked the malicious tags 12+ hours later. On the day of the attack, Safeguard customers were remediated in under two hours — without a single human authoring a fix. Here's the timeline.
- March 14, 2025 · 09:32 UTCExternal event
Attacker rewrites tj-actions/changed-files v1–v45 tags to point at a malicious commit. CVE-2025-30066 will be assigned 6 hours later.
↳ 23,000 public repositories depend on this action. Logs from any workflow that runs in the window publish CI secrets to a world-readable Gist.
- 09:34 UTC (+2 min)01 Source
TPRM detects an unsigned tag rewrite on tj-actions/* across the customer's allowlisted Action set. Vendor risk score on tj-actions drops from B to F.
↳ Source policy gate blocks any new workflow file that references tj-actions@v* without an explicit SHA pin override.
- 09:36 UTC (+4 min)02 Assemble
Scanner Suite re-scans every repository that uses tj-actions. 47 hits surfaced. Griffin AI authors fix PRs replacing the tag reference with the last known-good SHA.
↳ Auto-Fix opens 47 PRs in parallel. 41 merge automatically via the policy gate, 6 escalate to humans for review.
- 09:48 UTC (+16 min)03 Distribute
Guard rolls back any CI run started in the 10-minute window. Workflow logs are scanned for secret-shaped strings and the matching tokens are auto-revoked via the customer's secret managers.
↳ 26 tokens revoked (GH PATs, npm publish tokens, AWS keys, GCP service accounts). New tokens issued via JIT broker.
- 11:14 UTC (+1.7 hr)04 Procure
Portal exports a signed incident attestation: 47 repos affected, 47 remediated, 26 secrets rotated, zero secrets leaked. The attestation drops into the SOC 2 evidence pack.
↳ Same attestation feeds back to Source as a new blacklist rule on tj-actions/* for the next intake cycle. The loop closes.
- Outcome
Total elapsed: 1.7 hours. 47 repos remediated, 26 secrets rotated, zero secret leaks, full audit trail. The same incident took industry-average GitHub Actions users 12-18 hours of manual triage and weeks of credential rotation.
Lifecycle vs one-shot SCA
The structural difference, side by side.
- ✗ Scans once at PR time, silent after merge
- ✗ No re-evaluation when upstream CVE lands
- ✗ Alerts on every CVE regardless of reachability
- ✗ Audit prep is a 6-week quarterly fire drill
- ✗ No runtime drift detection
- ✗ Mean time to remediate: 45 days
- Every stage scans, attests, gates, feeds the next
- Upstream CVE triggers Auto-Fix within minutes
- 100-layer reachability + EPSS + KEV prioritisation
- Continuous evidence — audit in hours, not weeks
- eBPF drift detection + auto-rollback at runtime
- Mean time to remediate: 3 days (KEV: seconds)
Product × Stage matrix
Which Safeguard product covers which stage of the loop.
| Product | Source | Assemble | Distribute | Procure |
|---|---|---|---|---|
| ESSCM | ||||
| Portal | ||||
| Griffin AI | · | |||
| OSM · Gold | · | · | · | |
| Scanner Suite | · | · | ||
| TPRM | · | · | ||
| Auto-Fix | · | · | ||
| Guard | · | · | · | |
| SBOM Studio | · | |||
| MCP Server | · | · | ||
| Cowork | · | · | · |
See the loop running on your code
The lifecycle isn't a diagram. It's the operational mode of every Safeguard tenant. Book a 30-minute walkthrough and we'll trace one of your repos through every stage on live customer infrastructure.