Safeguard
Tag

provenance

Safeguard articles tagged "provenance" — guides, analysis, and best practices for software supply chain and application security.

60 articles

Frameworks

SLSA v1.1 Build Track: What Approved Means for Adopters

SLSA v1.1 was approved in April 2025 with the Build track stabilized. We dig into the spec changes, what L2 and L3 verifiers must reject, and how producers should re-evaluate provenance.

May 8, 20257 min read
SBOM & Compliance

Provenance Attestation Consumer Workflow

Generating provenance is half the story. Consuming it correctly, at the right points in the pipeline, is where the security value actually materialises.

Nov 20, 20247 min read
SBOM & Compliance

SLSA Build Provenance for Python Publish

Python packages on PyPI can carry SLSA provenance via PEP 740. Here is the publish workflow, the verification story, and the parts that still do not quite fit together.

Oct 15, 20247 min read
DevSecOps

How to Validate SLSA Provenance in CI

Generate and validate SLSA v1.0 provenance attestations in GitHub Actions using slsa-verifier, gate releases on builder identity, and prove build integrity.

Sep 14, 20244 min read
Open Source Security

OSS Trademark Policies: Security Angle

Trademarks matter in open source security because they are the signal of authentic origin. When trademark policies fail, typosquatting, impostor forks, and compromised builds follow.

Aug 10, 20247 min read
SBOM & Compliance

SLSA for Go Releases: A Practical Guide

Go's build model makes SLSA provenance more tractable than most ecosystems. Here is the practical guide for producing and verifying provenance on Go releases.

May 15, 20246 min read
SBOM & Compliance

SLSA Build L1 to L3 Migration Playbook

Moving from SLSA Build L1 to L3 is less a single upgrade and more a series of hardening steps. Here is the playbook we use with customers, mapped to the v1.0 specification.

Mar 25, 20247 min read
Open Source Security

How to Publish an npm Package With Provenance

A step-by-step tutorial for publishing npm packages with provenance attestations so your consumers can cryptographically verify the build source.

Mar 8, 20246 min read
Supply Chain Attacks

SLSA v1.0: Software Provenance Attestation Goes Mainstream

The SLSA framework reached v1.0 in April 2023, providing a practical framework for software supply chain integrity that's already being adopted by major package registries.

Sep 10, 20235 min read
Best Practices

Reproducible Builds in the Go Ecosystem

Go's toolchain makes reproducible builds unusually tractable. Here is how to reach bit-for-bit builds across machines in 2023, and where the rough edges remain.

Jul 20, 20235 min read
DevSecOps

Build Artifact Integrity Verification: From Source to Deployment

If you cannot verify that your deployed artifact matches your reviewed source code, your entire code review process is security theater. Here is how to close that gap.

Aug 28, 20226 min read
DevSecOps

Software Provenance Tracking: From Source to Production

Software provenance answers the question: where did this code come from, who built it, and can I trust it? In 2022, provenance tracking moved from academic concept to practical necessity.

May 28, 20226 min read
provenance (Page 5) — Safeguard Blog