Safeguard
Tag

attestation

Safeguard articles tagged "attestation" — guides, analysis, and best practices for software supply chain and application security.

33 articles

Supply Chain Security

Securing SBOM storage and distribution in cloud environments

GitGuardian found 23.77 million secrets exposed on public GitHub in 2024 alone — an unprotected SBOM repository is the same mistake, just with your dependency tree instead.

Jul 8, 20267 min read
Concepts

What Is the in-toto Framework?

in-toto is a framework for cryptographically verifying that every step in a software supply chain was performed as planned by authorized parties. Here's how layouts, link metadata, and functionaries fit together.

Jul 6, 20266 min read
Concepts

What Is an Artifact Attestation?

An artifact attestation is a signed, machine-readable claim about a software artifact, bound to it by digest. Here's how the in-toto structure works and what kinds of claims it carries.

Jul 4, 20266 min read
Concepts

What Is Software Provenance?

Software provenance is the verifiable record of where an artifact came from and how it was built. Here's what a provenance record contains, how it is proven, and why it stops build-time tampering.

Jul 3, 20266 min read
Compliance

EO 14144 to EO 14306: How the Federal Software Mandate Evolved

EO 14144 set ambitious supply chain rules for federal software in January 2025. EO 14306 in June reshaped them. Here is what survived, what changed, and what to plan for.

May 6, 20266 min read
Software Supply Chain Security

Container Image Supply Chain Security Deep Dive 2026

A senior-engineer deep dive into 2026 container image supply chain security: base image risk, provenance, signing, attestation chains, and what actually moves the needle.

Apr 22, 20266 min read
Cloud Security

Cloudflare Workers Build Attestations: A Defender's Field Guide

Workers Builds emits provenance attestations for the code it deploys. We trace how to verify them, gate on them, and integrate them into a multi-cloud supply chain program.

Apr 10, 20267 min read
Software Supply Chain Security

Why SLSA Level 3 Matters (and Level 4 Usually Doesn't)

SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.

Apr 5, 20268 min read
Software Supply Chain Security

Provenance, Attestation, and Signing: A Practical Glossary

Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.

Apr 2, 20268 min read
Compliance

White House M-22-18 SBOM Attestation Update

OMB M-22-18 and the CISA Secure Software Self-Attestation form continue to evolve. Here is what producers and federal buyers must change in 2026.

Mar 31, 20268 min read
Regulatory Compliance

SLSA v1.1 Framework Update: What's New

SLSA v1.1 sharpens the build track, adds a source track draft, and clarifies attestation semantics. Here is the practical guide for security teams.

Mar 30, 20266 min read
SBOM

SBOM Drift Detection Playbook for 2026

A practical playbook for detecting and responding to SBOM drift between source, build, and runtime, with the patterns that separate signal from noise.

Mar 22, 20266 min read
attestation — Safeguard Blog