provenance
Safeguard articles tagged "provenance" — guides, analysis, and best practices for software supply chain and application security.
60 articles
Cloudflare Workers Build Attestations: A Defender's Field Guide
Workers Builds emits provenance attestations for the code it deploys. We trace how to verify them, gate on them, and integrate them into a multi-cloud supply chain program.
Why SLSA Level 3 Matters (and Level 4 Usually Doesn't)
SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.
Provenance, Attestation, and Signing: A Practical Glossary
Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.
Attack surface reduction: practical strategies to minimiz...
Base images are one layer. Real attack surface reduction covers dependencies, build pipelines, and provenance too — here's what Chainguard's approach misses.
Training Data Poisoning: Pipeline Defenses
A senior engineer's guide to training data poisoning defenses in 2026, from split-learning detection to provenance attestation and continuous pipeline monitoring.
How to Implement SLSA Level 3 Practically
SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.
How to Prevent Dependency Confusion in npm (2026)
Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.
Training Data Provenance: Griffin AI vs Mythos
Training data is a supply chain component. Knowing what went into a model is the precondition for knowing what could come out of it. Few tools track this; the few that do matter disproportionately.
What is In-toto Attestation
In-toto attestation is a signed, verifiable record of how software was built. Here's how the format works, how it differs from an SBOM, and where it's used today.
The Future of Software Signing Is Keyless
Long-lived signing keys are operational debt that every security team eventually pays down the hard way. Keyless signing is not an experiment anymore — it is the mainstream design.
Trusted Publishing Across Every Major Registry: The 2026 State of OIDC-Backed Publishing
By end of 2025, Trusted Publishing landed on PyPI, RubyGems, npm, crates.io, and NuGet. PyPI alone crossed one million Trusted-Publisher uploads. Here is the defender view of the cross-ecosystem rollout.
Multi-Modal AI Supply Chain Considerations
Multi-modal models bring image, audio, and video into the AI supply chain. Each modality introduces provenance and integrity challenges that text-only pipelines never had to face.