build-security
Safeguard articles tagged "build-security" — guides, analysis, and best practices for software supply chain and application security.
31 articles
Maven Plugin Verification: Securing Your Java Build Pipeline
Maven plugins execute during your build with full JVM access. Here is how to verify they are legitimate and have not been tampered with.
Maven Enforcer Plugin Security Rules
Maven Enforcer is a blunt instrument most teams underuse. Here is how to turn it into a supply chain guardrail that blocks bad versions, bad repositories, and bad dependency graphs before they ship.
Earthly Reproducible Builds and Security
How Earthly's reproducible, containerized build system eliminates environment drift and strengthens build integrity for security-conscious teams.
Gradle Plugin Security Risks: The Code That Runs Before Your Code
Gradle plugins execute during your build with full access to your environment. Most teams never audit them. Here is why that is dangerous.
Post-Install Hooks Across Package Managers: A Comparative Security Analysis
Every package ecosystem handles install-time code execution differently. Some are permissive, some restrictive, and the differences matter for supply chain security.
Build System Poisoning Techniques: How Attackers Corrupt Your Pipeline
Build systems transform source code into deployable artifacts. When attackers poison the build, every artifact is compromised. Here is how it happens.
Runtime SBOM vs. Build-Time SBOM: Which Do You Actually Need?
Build-time SBOMs capture what goes into your software; runtime SBOMs capture what actually runs. Understanding the difference is critical for accurate vulnerability management.
WireGuard for Development Infrastructure: Fast, Simple, and Secure Tunneling
WireGuard's simplicity and performance make it well-suited for securing development infrastructure. Here is how to deploy it for build servers, artifact repositories, and developer access.
SLSA v1.0: Supply-chain Levels for Software Artifacts Reaches Maturity
SLSA v1.0 simplifies the framework and makes it practical to adopt. Here's what changed and how to implement it.
Software Attestation in Practice: From Theory to Implementation
Software attestation is moving from academic concept to practical requirement. Here's how to implement it in your build pipelines today.
3CX Attack Lessons: What Every Software Vendor Must Do Differently
The 3CX supply chain attack exposed critical gaps in how software vendors protect their build pipelines. Here are the concrete lessons.
Maven Dependency Resolution Attacks: Exploiting Java's Build System
Maven's dependency resolution mechanism can be exploited through repository poisoning, dependency confusion, and POM manipulation. Here is what Java teams need to know.