build-provenance
Safeguard articles tagged "build-provenance" — guides, analysis, and best practices for software supply chain and application security.
8 articles
Anatomy of an npm Build-Pipeline Hijack That Shipped a Cross-Platform RAT
One stolen npm token, three malicious releases, four hours online — and 8 million weekly downloads exposed to a cross-platform credential stealer.
Building a security-conscious CI/CD pipeline
CI/CD pipelines are now the top supply chain target. Here's how to build one with real controls—secrets, scoping, SBOMs, and provenance.
What is the SLSA Framework
SLSA defines four build integrity levels to stop supply chain tampering. Learn what each level requires, who's adopting it, and its real limits.
Build provenance
What is build provenance and why does it matter? A practical guide to SLSA attestations, provenance predicates, and verification pipelines for software supply chains.
What is Reproducible Builds
Reproducible builds let anyone recompile source code and cryptographically verify the binary matches — closing the gap attackers exploit when they compromise build systems, not source code.
Best software supply chain attestation tools
A practical, no-hype comparison of software supply chain attestation tools — in-toto, Sigstore, GUAC, GitHub, JFrog, and Chainguard — plus how to pick the right fit.
SLSA Level 3 in Practice: What It Takes
SLSA Build L3 is achievable in a week per repo if you use a hosted builder — and nearly impossible if you insist on rolling your own. Here is the practical path.
SLSA Framework Introduction: Securing Supply Chain Integrity
Google's SLSA framework provides a graduated model for supply chain integrity, from basic provenance to fully verified builds. Here's how it works and why it matters.