Supply Chain Security
In-depth guides and analysis on supply chain security from the Safeguard engineering team.
55 articles
Package Manager Security: npm, pip, and Maven Compared
Each package manager has its own security model, attack surface, and best practices. This guide compares npm, pip, and Maven from a supply chain security perspective.
Supply Chain Security for Government Agencies
Government agencies face unique software supply chain threats. Here's how federal and state organizations can protect critical infrastructure from compromise.
Notary v2 Content Trust: A Practical Implementation Guide
Docker Content Trust never gained traction. Notary v2, now called Notation, is the replacement. Here is how to implement it and what has changed.
Linux Distribution Package Signing: How It Actually Works
Package signing is the backbone of Linux software distribution security. Most teams trust it blindly without understanding the verification chain they depend on.
OCI Artifact Signing Standards: Making Sense of the Landscape
Container image signing has gone through multiple iterations. Here is where the OCI standards stand now and what you need to implement.
Azure DevOps Supply Chain Risks: Securing Your Microsoft CI/CD Pipeline
Azure DevOps pipelines present unique supply chain risks from marketplace extensions to service connections. A breakdown of the attack surface and how to harden it.
XcodeGhost Revisited: How a Trojanized IDE Infected Thousands of iOS Apps
XcodeGhost compromised Apple's developer toolchain by distributing a modified Xcode IDE. Years later, the attack remains a textbook example of build-tool supply chain compromise.