build-integrity
Safeguard articles tagged "build-integrity" — guides, analysis, and best practices for software supply chain and application security.
14 articles
What Is the in-toto Framework?
in-toto is a framework for cryptographically verifying that every step in a software supply chain was performed as planned by authorized parties. Here's how layouts, link metadata, and functionaries fit together.
What Is Software Provenance?
Software provenance is the verifiable record of where an artifact came from and how it was built. Here's what a provenance record contains, how it is proven, and why it stops build-time tampering.
Lessons from SolarWinds: When the Build Pipeline Becomes the Attack Surface
The SUNBURST backdoor reached roughly 18,000 organizations through a trojanized SolarWinds Orion update. Here is what actually happened, and the defenses that hold up years later.
What Is SLSA? Supply-chain Levels for Software Artifacts Explained
SLSA is an open framework of graded security levels for build integrity, letting teams prove how a software artifact was produced. Here's how the Build track levels work and how to reach them.
What Is SLSA (Supply-chain Levels for Software Artifacts)
SLSA verifies how software was built, not just what is inside it. Here is what the four build levels mean and how it differs from SBOM-only tooling.
SLSA Level 3 Implementation Blueprint 2026
A practical blueprint for reaching SLSA Level 3 in 2026: hosted builders, provenance generation, verification gates, and the operational habits that hold the line.
Reproducible Builds: Why Bit-for-Bit Identical Matters
If two builds of the same source produce different binaries, you cannot prove what you shipped. How determinism breaks, the flags that fix it, and why auditors care.
What is a Build Cache Poisoning Attack
Build cache poisoning plants malicious entries in a shared CI cache so trusted builds unknowingly consume attacker-controlled artifacts. Here's the mechanics and the fixes.
SLSA v1.1 Build Track: What Approved Means for Adopters
SLSA v1.1 was approved in April 2025 with the Build track stabilized. We dig into the spec changes, what L2 and L3 verifiers must reject, and how producers should re-evaluate provenance.
What is an SBOM Drift
SBOM drift is the gap between what your software bill of materials claims and what the artifact actually contains. Here's how it happens and how to detect it with a diff.
SLSA Builder Requirements in Production
The SLSA specification sets explicit requirements for builders at each level. Here is what those requirements actually mean when you operate a builder in production.
SLSA Build L1 to L3 Migration Playbook
Moving from SLSA Build L1 to L3 is less a single upgrade and more a series of hardening steps. Here is the playbook we use with customers, mapped to the v1.0 specification.