Safeguard
Tag

build-security

Safeguard articles tagged "build-security" — guides, analysis, and best practices for software supply chain and application security.

31 articles

Threat Research

Build Pipeline Compromise: When the Factory Ships the Malware

A build pipeline compromise injects malicious code during CI/CD, so the software you sign and ship is already backdoored. Here is how it works and how to defend.

Jul 4, 20266 min read
Container Security

Multi-Stage Docker Build Security in 2026

Multi-stage builds are the right way to ship secure container images, but the security benefits depend on getting the stage boundaries right. A guide for 2026.

Apr 21, 20267 min read
Software Supply Chain Security

Why SLSA Level 3 Matters (and Level 4 Usually Doesn't)

SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.

Apr 5, 20268 min read
Container Security

Docker BuildKit Security Best Practices for 2026

BuildKit has been the default Docker builder for years, but its security features remain underused. Here are the practices that matter in 2026.

Apr 2, 20266 min read
Best Practices

How to Implement SLSA Level 3 Practically

SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.

Mar 20, 20267 min read
Supply Chain Attacks

SolarWinds Sunburst: Five Years of Lessons in 2026

Half a decade after Sunburst, the build system compromise still defines how we think about software supply chain risk. A look at what stuck and what did not.

Jan 9, 20265 min read
Build Security

Software Provenance: An End-to-End Guide

Provenance answers where software came from and how it was built. Here is how to implement end-to-end provenance tracking from source to deployment.

Nov 5, 20256 min read
Build Security

Software Attestation Frameworks Compared: SLSA, in-toto, and Sigstore

Software attestation proves that your artifacts were built the way you claim. Here is a practical comparison of SLSA, in-toto, and Sigstore for securing your build pipeline.

Sep 25, 20258 min read
Open Source Security

Rust Procedural Macros: Security Risks

Proc macros are Rust code that runs at compile time with the privileges of the developer. They are one of the most underexamined pieces of the Rust supply chain.

Oct 28, 20246 min read
Best Practices

Build Server Compromise Investigation

A hands-on investigation guide for compromised build servers, from initial containment through rootkit checks and clean rebuild.

Aug 28, 20247 min read
Best Practices

SvelteKit Supply Chain Considerations

SvelteKit's compiled-output philosophy gives it a smaller runtime footprint than React frameworks, but the build-time supply chain is just as complex. Here is what to watch for when you adopt Svelte in production.

Aug 14, 20246 min read
Concepts

What is Egress Filtering in CI

Egress filtering in CI restricts where build jobs can send traffic, so a compromised dependency can't exfiltrate your secrets. Here's how to roll it out without breaking builds.

May 8, 20247 min read
build-security — Safeguard Blog