Safeguard
Topic

Concepts

In-depth guides and analysis on concepts from the Safeguard engineering team.

116 articles

Concepts

What is Binary Provenance

Binary provenance is verifiable metadata proving which source, builder, and process produced an artifact — the paper trail that makes 'where did this come from' answerable.

Oct 9, 20256 min read
Concepts

What Is the NVD (National Vulnerability Database)?

The NVD is the U.S. government's enrichment layer on top of the CVE List, adding CVSS scores, CWE classifications, and affected-configuration data. Here is how it works and where it falls short.

Sep 30, 20256 min read
Concepts

What is Secretless Authentication in CI/CD

Secretless authentication replaces stored CI credentials with short-lived OIDC tokens minted per job. Here's the trust-policy plumbing, provider support, and the pitfalls.

Sep 16, 20257 min read
Concepts

What Is Semantic Versioning?

Semantic versioning encodes the meaning of a release into its version number. Here is how MAJOR.MINOR.PATCH works and why it drives both dependency resolution and security triage.

Sep 9, 20256 min read
Concepts

What Is a Transitive Dependency?

A transitive dependency is code you never chose but still ship, pulled in by the libraries you did choose. Here is why indirect dependencies dominate your attack surface.

Aug 26, 20255 min read
Concepts

What is a Vulnerability Exploitability eXchange (VEX) Statement

A VEX statement is a machine-readable assertion of whether a product is actually affected by a CVE — the document that stops your customers from triaging your SBOM for you.

Aug 22, 20256 min read
Concepts

What is Patch Latency

Patch latency is the gap between a fix existing and the fix running in production. Here's how to measure it honestly, why it balloons, and how teams get it under 30 days.

Aug 17, 20257 min read
Concepts

What Is a Lockfile?

A lockfile pins the exact versions and hashes of every dependency your build resolves. Here is how lockfiles make builds reproducible and why they are central to supply chain integrity.

Aug 5, 20255 min read
Concepts

What is a Build Cache Poisoning Attack

Build cache poisoning plants malicious entries in a shared CI cache so trusted builds unknowingly consume attacker-controlled artifacts. Here's the mechanics and the fixes.

Jul 14, 20256 min read
Concepts

What Is a Package Registry?

A package registry is the network service your package manager pulls code from. Here is how registries work, why they are a critical trust boundary, and how to secure what you download.

Jul 14, 20256 min read
Concepts

What Is Password Salting? Why Two Identical Passwords Should Never Match

Password salting adds a unique random value to each password before hashing, so identical passwords produce different hashes and precomputed attacks fall apart.

Jun 17, 20256 min read
Concepts

What is Typo-Squatting Detection

Typo-squatting detection identifies malicious packages named one keystroke away from real ones — requets instead of requests — before they reach your build.

Jun 7, 20256 min read
Concepts (Page 7) — Supply Chain Security Blog | Safeguard