Safeguard
Tag

build-integrity

Safeguard articles tagged "build-integrity" — guides, analysis, and best practices for software supply chain and application security.

14 articles

Concepts

What Is the in-toto Framework?

in-toto is a framework for cryptographically verifying that every step in a software supply chain was performed as planned by authorized parties. Here's how layouts, link metadata, and functionaries fit together.

Jul 6, 20266 min read
Concepts

What Is Software Provenance?

Software provenance is the verifiable record of where an artifact came from and how it was built. Here's what a provenance record contains, how it is proven, and why it stops build-time tampering.

Jul 3, 20266 min read
Threat Research

Lessons from SolarWinds: When the Build Pipeline Becomes the Attack Surface

The SUNBURST backdoor reached roughly 18,000 organizations through a trojanized SolarWinds Orion update. Here is what actually happened, and the defenses that hold up years later.

Jul 1, 20266 min read
Concepts

What Is SLSA? Supply-chain Levels for Software Artifacts Explained

SLSA is an open framework of graded security levels for build integrity, letting teams prove how a software artifact was produced. Here's how the Build track levels work and how to reach them.

Jul 1, 20266 min read
SBOM

What Is SLSA (Supply-chain Levels for Software Artifacts)

SLSA verifies how software was built, not just what is inside it. Here is what the four build levels mean and how it differs from SBOM-only tooling.

Jun 2, 20268 min read
Software Supply Chain Security

SLSA Level 3 Implementation Blueprint 2026

A practical blueprint for reaching SLSA Level 3 in 2026: hosted builders, provenance generation, verification gates, and the operational habits that hold the line.

Feb 15, 20266 min read
Engineering

Reproducible Builds: Why Bit-for-Bit Identical Matters

If two builds of the same source produce different binaries, you cannot prove what you shipped. How determinism breaks, the flags that fix it, and why auditors care.

Dec 4, 20256 min read
Concepts

What is a Build Cache Poisoning Attack

Build cache poisoning plants malicious entries in a shared CI cache so trusted builds unknowingly consume attacker-controlled artifacts. Here's the mechanics and the fixes.

Jul 14, 20256 min read
Frameworks

SLSA v1.1 Build Track: What Approved Means for Adopters

SLSA v1.1 was approved in April 2025 with the Build track stabilized. We dig into the spec changes, what L2 and L3 verifiers must reject, and how producers should re-evaluate provenance.

May 8, 20257 min read
Concepts

What is an SBOM Drift

SBOM drift is the gap between what your software bill of materials claims and what the artifact actually contains. Here's how it happens and how to detect it with a diff.

Oct 8, 20247 min read
SBOM & Compliance

SLSA Builder Requirements in Production

The SLSA specification sets explicit requirements for builders at each level. Here is what those requirements actually mean when you operate a builder in production.

Aug 28, 20247 min read
SBOM & Compliance

SLSA Build L1 to L3 Migration Playbook

Moving from SLSA Build L1 to L3 is less a single upgrade and more a series of hardening steps. Here is the playbook we use with customers, mapped to the v1.0 specification.

Mar 25, 20247 min read
build-integrity — Safeguard Blog