Best Practices
In-depth guides and analysis on best practices from the Safeguard engineering team.
252 articles
SecOps Budget Justification: Supply Chain Program
Supply chain SecOps budgets get cut because the case is told as fear instead of math. Here is a budget justification that survives a finance review.
Safeguard vs Wiz: Supply Chain Focus 2026
How Safeguard and Wiz compare in 2026 for software supply chain security, SCA depth, container provenance, and autonomous remediation.
Vendor Offboarding and Supply Chain Data Destruction
A practical playbook for offboarding software vendors and ensuring data is actually destroyed, not just promised to be destroyed, across complex subprocessor chains.
MCP Server Capability Policy Enforcement
MCP servers expose tools that AI agents can call directly. Capability policy decides which tools each agent gets, with the same rigor as any other supply chain gate.
How to Generate an SBOM with GitHub Actions (2026)
SBOMs are a compliance table-stakes artifact in 2026. Here is a production GitHub Actions workflow that generates, signs, and attests a CycloneDX SBOM on every release.
How to Detect Malicious npm Packages: A Workflow
A practical detection workflow for malicious npm packages: install-time signals, registry heuristics, reachability checks, and CI gates that actually block attacks.
Procurement Security Questionnaires That Actually Work
How to design a supplier security questionnaire that produces usable signal, what to cut from standard templates, and how to integrate the output into real risk decisions.
Post-Quantum Signing: An Artifact Migration Plan
A concrete migration plan for artifact signing from ECDSA to ML-DSA and SLH-DSA, covering Sigstore, Notary, HSMs, and staged hybrid rollouts.
Tracking Vendor-Supplied Binaries In Your Runtime
Vendor binaries run as root and ship without SBOMs. Continuous discovery brings them under the same governance as your own code.
Vendor Risk During M&A Due Diligence
M&A due diligence usually ignores vendor risk until the day after close. By then, the buyer has inherited a vendor portfolio with no visibility and no leverage.
Safeguard vs Aqua Security Platform Review
A fact-based comparison of Safeguard and Aqua Security in 2026 across container coverage, runtime protection, SCA depth, and supply chain capabilities.
Evidence-Driven SecOps vs Feeling-Driven SecOps
Two SecOps programs can look identical on a status report and behave completely differently when the next incident hits. The difference is whether they run on evidence or on feeling.