build-security
Safeguard articles tagged "build-security" — guides, analysis, and best practices for software supply chain and application security.
31 articles
Build Pipeline Compromise: When the Factory Ships the Malware
A build pipeline compromise injects malicious code during CI/CD, so the software you sign and ship is already backdoored. Here is how it works and how to defend.
Multi-Stage Docker Build Security in 2026
Multi-stage builds are the right way to ship secure container images, but the security benefits depend on getting the stage boundaries right. A guide for 2026.
Why SLSA Level 3 Matters (and Level 4 Usually Doesn't)
SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.
Docker BuildKit Security Best Practices for 2026
BuildKit has been the default Docker builder for years, but its security features remain underused. Here are the practices that matter in 2026.
How to Implement SLSA Level 3 Practically
SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.
SolarWinds Sunburst: Five Years of Lessons in 2026
Half a decade after Sunburst, the build system compromise still defines how we think about software supply chain risk. A look at what stuck and what did not.
Software Provenance: An End-to-End Guide
Provenance answers where software came from and how it was built. Here is how to implement end-to-end provenance tracking from source to deployment.
Software Attestation Frameworks Compared: SLSA, in-toto, and Sigstore
Software attestation proves that your artifacts were built the way you claim. Here is a practical comparison of SLSA, in-toto, and Sigstore for securing your build pipeline.
Rust Procedural Macros: Security Risks
Proc macros are Rust code that runs at compile time with the privileges of the developer. They are one of the most underexamined pieces of the Rust supply chain.
Build Server Compromise Investigation
A hands-on investigation guide for compromised build servers, from initial containment through rootkit checks and clean rebuild.
SvelteKit Supply Chain Considerations
SvelteKit's compiled-output philosophy gives it a smaller runtime footprint than React frameworks, but the build-time supply chain is just as complex. Here is what to watch for when you adopt Svelte in production.
What is Egress Filtering in CI
Egress filtering in CI restricts where build jobs can send traffic, so a compromised dependency can't exfiltrate your secrets. Here's how to roll it out without breaking builds.