attestation
Safeguard articles tagged "attestation" — guides, analysis, and best practices for software supply chain and application security.
33 articles
Confidential Computing in Supply Chain Integration
How Intel TDX, AMD SEV-SNP, and AWS Nitro enclaves plug into build and signing pipelines, with attestation flows and operational tradeoffs.
Provenance Attestation Consumer Workflow
Generating provenance is half the story. Consuming it correctly, at the right points in the pipeline, is where the security value actually materialises.
Witness Attestation Collection Workflow
Witness turns build steps into a chain of signed attestations. Here is how we use it in production pipelines, what it does well, and where the edges still cut.
How to Validate SLSA Provenance in CI
Generate and validate SLSA v1.0 provenance attestations in GitHub Actions using slsa-verifier, gate releases on builder identity, and prove build integrity.
in-toto Attestation Formats Reviewed
The in-toto attestation framework is the plumbing under SLSA, Sigstore, and most supply chain tooling. Here is a practical review of the v1 formats and their edges.
CISA Secure Software Development Attestation: What Vendors Must Know
CISA now requires software vendors selling to the US government to attest to secure development practices. Here's what the form demands and how to prepare.
SLSA v1.0: Software Provenance Attestation Goes Mainstream
The SLSA framework reached v1.0 in April 2023, providing a practical framework for software supply chain integrity that's already being adopted by major package registries.
Software Attestation in Practice: From Theory to Implementation
Software attestation is moving from academic concept to practical requirement. Here's how to implement it in your build pipelines today.
Trusted Computing and TPM in the Software Supply Chain
Trusted Platform Modules provide a hardware root of trust for verifying software integrity. Understanding how TPMs fit into supply chain security helps build tamper-resistant systems.