Tag
build-attestation
Safeguard articles tagged "build-attestation" — guides, analysis, and best practices for software supply chain and application security.
2 articles
Engineering
npm Provenance Statements: What They Prove and What They Don't
npm provenance ties a package to the commit and CI run that built it. That's genuinely useful — and narrower than most teams assume. Here's the exact boundary.
Feb 11, 20266 min read
Concepts
What is Binary Provenance
Binary provenance is verifiable metadata proving which source, builder, and process produced an artifact — the paper trail that makes 'where did this come from' answerable.
Oct 9, 20256 min read