attestation
Safeguard articles tagged "attestation" — guides, analysis, and best practices for software supply chain and application security.
33 articles
Securing SBOM storage and distribution in cloud environments
GitGuardian found 23.77 million secrets exposed on public GitHub in 2024 alone — an unprotected SBOM repository is the same mistake, just with your dependency tree instead.
What Is the in-toto Framework?
in-toto is a framework for cryptographically verifying that every step in a software supply chain was performed as planned by authorized parties. Here's how layouts, link metadata, and functionaries fit together.
What Is an Artifact Attestation?
An artifact attestation is a signed, machine-readable claim about a software artifact, bound to it by digest. Here's how the in-toto structure works and what kinds of claims it carries.
What Is Software Provenance?
Software provenance is the verifiable record of where an artifact came from and how it was built. Here's what a provenance record contains, how it is proven, and why it stops build-time tampering.
EO 14144 to EO 14306: How the Federal Software Mandate Evolved
EO 14144 set ambitious supply chain rules for federal software in January 2025. EO 14306 in June reshaped them. Here is what survived, what changed, and what to plan for.
Container Image Supply Chain Security Deep Dive 2026
A senior-engineer deep dive into 2026 container image supply chain security: base image risk, provenance, signing, attestation chains, and what actually moves the needle.
Cloudflare Workers Build Attestations: A Defender's Field Guide
Workers Builds emits provenance attestations for the code it deploys. We trace how to verify them, gate on them, and integrate them into a multi-cloud supply chain program.
Why SLSA Level 3 Matters (and Level 4 Usually Doesn't)
SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.
Provenance, Attestation, and Signing: A Practical Glossary
Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.
White House M-22-18 SBOM Attestation Update
OMB M-22-18 and the CISA Secure Software Self-Attestation form continue to evolve. Here is what producers and federal buyers must change in 2026.
SLSA v1.1 Framework Update: What's New
SLSA v1.1 sharpens the build track, adds a source track draft, and clarifies attestation semantics. Here is the practical guide for security teams.
SBOM Drift Detection Playbook for 2026
A practical playbook for detecting and responding to SBOM drift between source, build, and runtime, with the patterns that separate signal from noise.