Software Supply Chain Security
In-depth guides and analysis on software supply chain security from the Safeguard engineering team.
175 articles
Rekor transparency log
What is Rekor? It's the public, immutable transparency log at the heart of Sigstore that records software signing events for tamper-evident verification.
CycloneDX
CycloneDX is the OWASP-backed SBOM standard for tracking software components, vulnerabilities, and VEX statements. Here's what is CycloneDX and how it compares to SPDX.
SPDX
What is SPDX? A plain-English guide to the ISO-standard SBOM and license format that documents what's really inside your software.
Build provenance
What is build provenance and why does it matter? A practical guide to SLSA attestations, provenance predicates, and verification pipelines for software supply chains.
in-toto Attestation Framework Walkthrough 2026
A working engineer's tour of in-toto in 2026: layouts, links, the attestation predicate ecosystem, and how it composes with SLSA, sigstore, and SBOMs.
Post-Quantum Cryptography Migration for Software Supply Chains
NIST finalized ML-KEM, ML-DSA, and SLH-DSA in 2024. Here's what it means for Sigstore, package registry signing, TLS, and the harvest-now-decrypt-later problem.
How to enable Dependabot version updates
A step-by-step guide to enabling Dependabot version updates on GitHub, including dependabot.yml configuration, scheduling, and verification checks.
SCA with Reachability: A Buyer Guide for 2026
How to evaluate software composition analysis tools that claim reachability analysis, including the technical questions that separate real implementations from marketing.
How to configure GitHub branch protection rules
A practical guide to configuring GitHub branch protection rules — required reviews, status checks, and security settings that keep your main branch safe.
How to set up signed commits with GPG
A step-by-step guide to set up GPG signed commits in Git: generate a key, configure Git, publish it to GitHub, verify signatures, and fix common errors.
How to implement software supply chain security with SLSA
A step-by-step guide to implement SLSA supply chain security: map risk, generate signed provenance, and enforce verification before deploy.
SLSA Level 3 Implementation Blueprint 2026
A practical blueprint for reaching SLSA Level 3 in 2026: hosted builders, provenance generation, verification gates, and the operational habits that hold the line.