Safeguard
Tag

provenance

Safeguard articles tagged "provenance" — guides, analysis, and best practices for software supply chain and application security.

60 articles

Concepts

What Is an Artifact Attestation?

An artifact attestation is a signed, machine-readable claim about a software artifact, bound to it by digest. Here's how the in-toto structure works and what kinds of claims it carries.

Jul 4, 20266 min read
Security Guides

Securing the Go Modules Supply Chain: Proxy, Checksums, and Provenance End to End

The Go module system ships with a tamper-evident checksum log and a public proxy most teams never configure deliberately. Here's how to turn those defaults into a real supply-chain control plane.

Jul 3, 20266 min read
AI Security

AI Model Supply Chain Attacks: How Weights Become Malware

You would never run an unknown binary from a stranger, but teams pull unknown model weights off public hubs every day. Loading them can be code execution — and that is only the most obvious link in the chain.

Jul 2, 20265 min read
Security Guides

How to Build a Secure npm Package (2026)

A practical checklist for shipping an npm package that resists supply chain attacks: provenance, granular tokens, minimal published files, no install scripts, and ReDoS-safe code.

Jul 1, 20265 min read
Concepts

What Is SLSA? Supply-chain Levels for Software Artifacts Explained

SLSA is an open framework of graded security levels for build integrity, letting teams prove how a software artifact was produced. Here's how the Build track levels work and how to reach them.

Jul 1, 20266 min read
AI Security

Patch the Planet: What AI-Generated Fixes Actually Mean for Open-Source Maintainers

OpenAI's Patch the Planet, co-founded with Trail of Bits, wants to move widely-used open-source projects from findings to fixes. The ambition is right — but it shifts the bottleneck to maintainer review, patch provenance, and the trust of machine-authored code.

Jun 24, 20266 min read
Supply Chain Security

CVE-2026-45321: Anatomy of the TanStack npm and PyPI Supply Chain Worm

The Mini Shai-Hulud worm hit TanStack, Mistral AI, UiPath and 170+ npm and PyPI packages by hijacking a trusted release pipeline mid-run. Here is how the software supply chain attack actually worked, and what it changes.

Jun 23, 20267 min read
AI Security

AIBOM in 2026: Treating AI Models as a Software Supply Chain

The AI bill of materials is graduating from optional security artifact to procurement requirement. Here is what AIBOM/ML-BOM actually tracks in 2026, how it ties to the EU AI Act, and where it still falls short.

Jun 15, 20267 min read
Open Source Security

Maven Central's January 2025 Sigstore Validation Launch: Bringing Java Provenance to the Central Publisher Portal

Sonatype's Central Publisher Portal began validating Sigstore signature bundles in January 2025 alongside the existing PGP requirement. Here is the defender view of how the Java ecosystem's provenance story is finally catching up.

May 15, 20267 min read
DevSecOps

npm provenance attestations walkthrough for 2026

npm provenance ties a published package to the specific GitHub Actions run that built it, signed through sigstore. Here is how to enable it for a publisher, verify it on the install side, and enforce it in CI without breaking your release process.

May 13, 20269 min read
Buyer's Guides

Aikido vs Socket: supply chain security comparison

Aikido bundles SAST/DAST/SCA into one ASPM platform; Socket digs into package behavior. Here's where Safeguard's provenance-first approach fits between them.

May 6, 20267 min read
Software Supply Chain Security

Container Image Supply Chain Security Deep Dive 2026

A senior-engineer deep dive into 2026 container image supply chain security: base image risk, provenance, signing, attestation chains, and what actually moves the needle.

Apr 22, 20266 min read
provenance (Page 2) — Safeguard Blog