Safeguard
Tag

provenance

Safeguard articles tagged "provenance" — guides, analysis, and best practices for software supply chain and application security.

60 articles

Cloud Security

Cloudflare Workers Build Attestations: A Defender's Field Guide

Workers Builds emits provenance attestations for the code it deploys. We trace how to verify them, gate on them, and integrate them into a multi-cloud supply chain program.

Apr 10, 20267 min read
Software Supply Chain Security

Why SLSA Level 3 Matters (and Level 4 Usually Doesn't)

SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.

Apr 5, 20268 min read
Software Supply Chain Security

Provenance, Attestation, and Signing: A Practical Glossary

Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.

Apr 2, 20268 min read
Application Security

Attack surface reduction: practical strategies to minimiz...

Base images are one layer. Real attack surface reduction covers dependencies, build pipelines, and provenance too — here's what Chainguard's approach misses.

Apr 2, 20267 min read
AI Security

Training Data Poisoning: Pipeline Defenses

A senior engineer's guide to training data poisoning defenses in 2026, from split-learning detection to provenance attestation and continuous pipeline monitoring.

Mar 25, 20267 min read
Best Practices

How to Implement SLSA Level 3 Practically

SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.

Mar 20, 20267 min read
Best Practices

How to Prevent Dependency Confusion in npm (2026)

Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.

Mar 13, 20267 min read
AI Security

Training Data Provenance: Griffin AI vs Mythos

Training data is a supply chain component. Knowing what went into a model is the precondition for knowing what could come out of it. Few tools track this; the few that do matter disproportionately.

Mar 9, 20265 min read
Software Supply Chain Security

What is In-toto Attestation

In-toto attestation is a signed, verifiable record of how software was built. Here's how the format works, how it differs from an SBOM, and where it's used today.

Mar 6, 20267 min read
Industry Analysis

The Future of Software Signing Is Keyless

Long-lived signing keys are operational debt that every security team eventually pays down the hard way. Keyless signing is not an experiment anymore — it is the mainstream design.

Mar 5, 20268 min read
Supply Chain

Trusted Publishing Across Every Major Registry: The 2026 State of OIDC-Backed Publishing

By end of 2025, Trusted Publishing landed on PyPI, RubyGems, npm, crates.io, and NuGet. PyPI alone crossed one million Trusted-Publisher uploads. Here is the defender view of the cross-ecosystem rollout.

Mar 3, 20266 min read
AI Security

Multi-Modal AI Supply Chain Considerations

Multi-modal models bring image, audio, and video into the AI supply chain. Each modality introduces provenance and integrity challenges that text-only pipelines never had to face.

Feb 18, 20268 min read
provenance (Page 3) — Safeguard Blog