Safeguard
Tag

build-provenance

Safeguard articles tagged "build-provenance" — guides, analysis, and best practices for software supply chain and application security.

8 articles

Supply Chain Attacks

Anatomy of an npm Build-Pipeline Hijack That Shipped a Cross-Platform RAT

One stolen npm token, three malicious releases, four hours online — and 8 million weekly downloads exposed to a cross-platform credential stealer.

Jul 8, 20266 min read
DevSecOps

Building a security-conscious CI/CD pipeline

CI/CD pipelines are now the top supply chain target. Here's how to build one with real controls—secrets, scoping, SBOMs, and provenance.

May 18, 20266 min read
Software Supply Chain Security

What is the SLSA Framework

SLSA defines four build integrity levels to stop supply chain tampering. Learn what each level requires, who's adopting it, and its real limits.

Mar 6, 20266 min read
Software Supply Chain Security

Build provenance

What is build provenance and why does it matter? A practical guide to SLSA attestations, provenance predicates, and verification pipelines for software supply chains.

Mar 3, 20267 min read
Software Supply Chain Security

What is Reproducible Builds

Reproducible builds let anyone recompile source code and cryptographically verify the binary matches — closing the gap attackers exploit when they compromise build systems, not source code.

Feb 3, 20268 min read
Buyer's Guides

Best software supply chain attestation tools

A practical, no-hype comparison of software supply chain attestation tools — in-toto, Sigstore, GUAC, GitHub, JFrog, and Chainguard — plus how to pick the right fit.

Nov 18, 20257 min read
Engineering

SLSA Level 3 in Practice: What It Takes

SLSA Build L3 is achievable in a week per repo if you use a hosted builder — and nearly impossible if you insist on rolling your own. Here is the practical path.

Apr 19, 20246 min read
DevSecOps

SLSA Framework Introduction: Securing Supply Chain Integrity

Google's SLSA framework provides a graduated model for supply chain integrity, from basic provenance to fully verified builds. Here's how it works and why it matters.

Sep 1, 20216 min read
build-provenance — Safeguard Blog