Guides
In-depth guides and analysis on guides from the Safeguard engineering team.
22 articles
How to Rotate Leaked CI Secrets Without Downtime
A leaked CI credential does not have to mean an outage. The dual-credential pattern: issue new alongside old, cut over, verify with usage logs, then revoke — plus what to do after.
How to Respond When a CVE Drops in a Package You Ship
A working playbook for the day a CVE lands in your dependency tree: confirm exposure with SBOM queries, judge real exploitability, patch or mitigate, then prove it and publish VEX.
How to Set Up Dependency Review on GitHub Pull Requests
GitHub's dependency-review-action can block PRs that introduce vulnerable or badly-licensed packages. Here is the exact configuration, plus the cases it silently misses.
How to Verify an npm Package Before Installing It
Five checks that take about four minutes — tarball inspection, install-script review, provenance verification, maintainer signals — before you let a new npm package run code on your machine.
How to Vet a GitHub Action Before You Trust It with Secrets
Third-party Actions run with your repo's token and secrets. A vetting routine: read the source at the pinned SHA, audit the bundled dist, scope permissions, and contain egress.
How to Run a Tabletop Exercise for a Supply Chain Breach
A 90-minute tabletop built on a compromised dependency scenario will expose more gaps than a year of policy reviews. Here is the full agenda, injects included.
How to Meet EO 14028 Self-Attestation Requirements Step by Step
The CISA attestation form is final and the deadlines are real. Here is the step-by-step path: scope, SSDF evidence, POA&Ms, and RSAA submission.
How to Audit Python Dependencies with pip-audit (and What It Misses)
pip-audit checks your Python dependencies against the PyPA advisory database in one command. Here is how to run it well in CI, and the four gaps it leaves open.
How to Write a Vulnerability Disclosure Policy Developers Respect
Most VDPs are lawyer documents nobody reads. Here is how to write one with real safe harbor, honest SLAs, and an intake path researchers will actually use.
How to Generate an SBOM in a GitLab CI Pipeline
A working .gitlab-ci.yml for SBOM generation with Syft: CycloneDX report artifacts, a Grype scan stage, and Cosign attestations pushed next to the image.