Safeguard March 2026 Release Notes

March closed out the quarter with the set of changes that tie Q1 together. Griffin learned to track data, not just control flow. Eagle's advisory engine expanded beyond base images. Lino started comparing services to their peers. And the runner got an installer that handles air-gapped environments end-to-end. Here is the full March release log.

What shipped in March 2026?

Shipped

• Griffin taint tracking — Griffin now runs a taint-tracking dataflow pass on top of reachability. For a reachable vulnerable symbol, Griffin tells you whether any attacker-controlled input can reach it along a realistic path. Taint tracking is available for Node, Python, Go, Java, and .NET at GA, and for Rust in beta.
• Eagle SBOM-driven advisories — the advisory engine now considers your full SBOM, not just the base image. It can recommend swapping a runtime, pruning an unused binary that carries a CVE, or switching a build tool whose dependencies are heavier than they need to be.
• Lino cross-service baselines — Lino can now compare a service to a cohort of peers in addition to its own history. A service that behaves differently from every other service with the same labels is flagged for review even if nothing about its own history has changed.
• Runner: air-gap installer — a single installer binary that provisions the runner, fleet control plane, and all detector bundles for an offline environment. It signs a manifest of everything it installed so the environment can prove provenance.
• Desktop: attestation viewer — the desktop app now has a viewer that walks you through the source-image-runtime signed chain for a given deployment.
• MCP server: policy tools — the MCP server exposes policy.check and policy.simulate so agents can reason about what a policy would do before they do it.

Improved

• Workflows — new parallel and barrier primitives. parallel fans out deterministically; barrier waits for a named subset of branches before continuing. This replaces a common hand-rolled pattern.
• Gold — Gold now attempts a "quiet rebase" on remediation PRs when main moves while the PR is open. If the rebase clean-applies, it pushes; if not, it posts a comment and leaves the branch for a human.
• 100-level scan — the report now includes a taint-tracking section for Griffin findings. If a reachable vulnerable symbol has attacker-controlled data reaching it, the report says so explicitly.
• IDE extensions — both VS Code and JetBrains extensions now show taint-tracking results inline. A vulnerable symbol with confirmed attacker-controlled data on the way in is shown in red; unreachable is dimmed.

Deprecated

• The pre-3.0 runner reaches EOL at the end of March. It no longer receives detector updates.
• sg attest export is deprecated in favor of sg attestation export; the aliased command works through Q2 2026.
• The old per-workflow cache format is deprecated. Workflows using it emit a warning; the shared cache format is the default.

How does Griffin taint tracking change triage?

Answer-first: taint tracking tells you whether a reachable vulnerable symbol is also exploitable from outside. Reachability answers "can this symbol be called?" Taint tracking answers "can an attacker make this symbol be called with data they control?" The two together collapse most of a triage queue into a small number of findings that actually matter.

In practice, a Griffin finding in March 2026 can have four possible reachability plus taint verdicts:

1. Unreachable — the vulnerable symbol is not on any call path from any entry point. Dimmed, archived silently.
2. Reachable, no taint — the symbol is callable but no attacker-controlled input reaches it. Surfaced as a lower-priority finding.
3. Reachable with taint (partial) — the symbol is callable and some attacker-controlled data can reach it, but not through all arguments. Surfaced as a medium-priority finding.
4. Reachable with full taint — the symbol is callable and attacker-controlled data can reach the arguments that matter for the CVE. This is what gets paged on.

Taint tracking is conservative by default — it prefers false positives over false negatives — but the UI surfaces the confidence band so you can see how sure Griffin is.

What does an SBOM-driven Eagle advisory look like?

It looks like a base image advisory, but bigger. The advisory engine now considers every component in your SBOM and models tradeoffs beyond the base image. Examples from our own SBOM:

• "Your openssl is the standalone binary; you link against libssl in libcurl4 already. Remove the binary to drop two reachable CVEs and 6 MB."
• "Your Node runtime carries npm, which is only used at build time. Use a multi-stage build to keep it out of the final image."
• "Your image includes bash; the app launches only /bin/sh. Swap to busybox to drop one reachable CVE."

Each suggestion ranks by the same four dimensions the base image advisory uses — reachable CVEs, image size, build time, behavioral compatibility — but applied to any component, not just the base.

Acceptance is manual by default. If you want Gold to auto-apply SBOM advisories, you can opt in with a policy flag and a confidence threshold.

How do Lino cross-service baselines compare services?

Cross-service baselines do peer comparison. A service gets labeled with its language, framework, deployment kind, and any custom labels you set. Lino computes a cohort from those labels and compares the service's fingerprint to the cohort's. A service that talks to a lot more egress destinations than its peers, or that has a much deeper process tree than its peers, is flagged — even if the service's own history hasn't changed.

This is the answer to a specific failure mode: a service that has been misbehaving since the day it shipped, so its own baseline looks like its misbehavior, so same-service baselines miss it. Cross-service baselines catch those.

The peer cohort is cohort-anonymous in the sense that individual services in the cohort are not identified. Lino surfaces the cohort statistics, not the cohort's members.

What is the air-gap installer for?

The air-gap installer is the answer to "we want to run Safeguard in an environment that cannot talk to your control plane." The installer is a single binary that carries:

• The runner and fleet control plane.
• Every detector bundle for every language the runner supports.
• The Eagle base image corpus and advisory data.
• Lino's observer agents and their dependencies.
• A signed manifest of everything inside, so the environment can audit it.

Installation is a one-shot operation: run the binary, point it at a local registry and a local Kubernetes cluster, and it provisions the fleet. Detector updates are delivered as signed delta bundles that can be sideloaded and verified against the same manifest.

The installer is aimed at regulated environments — government, critical infrastructure, air-gapped R&D networks — that could not use Safeguard before.

How Safeguard.sh Helps

March's net effect: findings got more actionable and Safeguard got more deployable. Taint tracking means a Griffin finding is not just "can be reached" but "can be reached with attacker-controlled data"; most teams can now run a workflow that pages only on the latter. Eagle advisories extend from the base image to every component in your SBOM, which means the suggestion list is longer and the tradeoffs more interesting. Lino's cross-service baselines catch services that have always been subtly wrong. And the air-gap installer brings the platform into environments where it previously could not run. Q1 2026 ends with Safeguard.sh doing more of what it does, in more places, with more precision.

What's next

Q2 2026 is shaping up around:

• Griffin: taint tracking GA for Rust, beta for Ruby and PHP.
• Eagle: SLSA level 3 attestations for customer-managed builds.
• Lino: eBPF-based observer on OpenShift and bare metal.
• Gold: self-healing for Lino deviations where remediation is known.
• The runner: fleet autoscaling across clouds.

Email contact@hsxtechnologies.com if any of those are the one you're waiting on.