Safeguard
Topic

Guides

In-depth guides and analysis on guides from the Safeguard engineering team.

22 articles

Guides

How to Rotate Leaked CI Secrets Without Downtime

A leaked CI credential does not have to mean an outage. The dual-credential pattern: issue new alongside old, cut over, verify with usage logs, then revoke — plus what to do after.

Mar 13, 20266 min read
Guides

How to Respond When a CVE Drops in a Package You Ship

A working playbook for the day a CVE lands in your dependency tree: confirm exposure with SBOM queries, judge real exploitability, patch or mitigate, then prove it and publish VEX.

Mar 6, 20266 min read
Guides

How to Set Up Dependency Review on GitHub Pull Requests

GitHub's dependency-review-action can block PRs that introduce vulnerable or badly-licensed packages. Here is the exact configuration, plus the cases it silently misses.

Sep 17, 20255 min read
Guides

How to Verify an npm Package Before Installing It

Five checks that take about four minutes — tarball inspection, install-script review, provenance verification, maintainer signals — before you let a new npm package run code on your machine.

Jul 9, 20256 min read
Guides

How to Vet a GitHub Action Before You Trust It with Secrets

Third-party Actions run with your repo's token and secrets. A vetting routine: read the source at the pinned SHA, audit the bundled dist, scope permissions, and contain egress.

Jun 22, 20256 min read
Guides

How to Run a Tabletop Exercise for a Supply Chain Breach

A 90-minute tabletop built on a compromised dependency scenario will expose more gaps than a year of policy reviews. Here is the full agenda, injects included.

Jul 11, 20246 min read
Guides

How to Meet EO 14028 Self-Attestation Requirements Step by Step

The CISA attestation form is final and the deadlines are real. Here is the step-by-step path: scope, SSDF evidence, POA&Ms, and RSAA submission.

May 2, 20247 min read
Guides

How to Audit Python Dependencies with pip-audit (and What It Misses)

pip-audit checks your Python dependencies against the PyPA advisory database in one command. Here is how to run it well in CI, and the four gaps it leaves open.

Apr 26, 20246 min read
Guides

How to Write a Vulnerability Disclosure Policy Developers Respect

Most VDPs are lawyer documents nobody reads. Here is how to write one with real safe harbor, honest SLAs, and an intake path researchers will actually use.

Apr 22, 20247 min read
Guides

How to Generate an SBOM in a GitLab CI Pipeline

A working .gitlab-ci.yml for SBOM generation with Syft: CycloneDX report artifacts, a Grype scan stage, and Cosign attestations pushed next to the image.

Mar 3, 20245 min read
Guides (Page 2) — Supply Chain Security Blog | Safeguard