provenance
Safeguard articles tagged "provenance" — guides, analysis, and best practices for software supply chain and application security.
60 articles
How to implement software supply chain security with SLSA
A step-by-step guide to implement SLSA supply chain security: map risk, generate signed provenance, and enforce verification before deploy.
SLSA Level 3 Implementation Blueprint 2026
A practical blueprint for reaching SLSA Level 3 in 2026: hosted builders, provenance generation, verification gates, and the operational habits that hold the line.
AI Model Weights: Signing, Attestation, Provenance
Model weights are binaries with the privilege of code and the review of documents. Here is what signing, attestation, and provenance should actually look like.
AI Model Weight Tampering Detection Techniques
Weight-level tampering leaves cryptographic and statistical fingerprints. Here is what current research says about detecting a modified checkpoint before it reaches inference.
npm Provenance Statements in Practice (2026)
A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.
AI Code-Generation Audit Trail Patterns
When AI writes code that ships to production, the audit trail is a compliance requirement, not a nice-to-have. Patterns for capturing it without killing velocity.
What Is a Build Artifact?
A build artifact is the packaged output your build process produces from source code. Here is why artifacts are a critical supply chain checkpoint and how to verify their provenance.
AI Model Watermarking and Provenance
Watermarking and provenance are the two most confused terms in AI security. A practical breakdown of what each actually does, where the 2025 techniques break, and what to ship in the meantime.
SLSA v1.2 Source Track: What Changed in November 2025
SLSA v1.2 was approved in November 2025 and finally completes the Source Track that v0.1 only sketched. We break down the new source levels and what producers must change.
npm Provenance: Adoption Tracking in Late 2025
Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.
Software Provenance: An End-to-End Guide
Provenance answers where software came from and how it was built. Here is how to implement end-to-end provenance tracking from source to deployment.
How to Verify an npm Package Before Installing It
Five checks that take about four minutes — tarball inspection, install-script review, provenance verification, maintainer signals — before you let a new npm package run code on your machine.