Safeguard
Tag

sigstore

Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.

77 articles

Container Security

OCI Image Labels and Annotations: A Practical Guide to Provenance and SBOM Linkage

OCI defines 14 standard org.opencontainers.image.* annotation keys, but labels are unsigned metadata — anyone with build access can forge them.

Jul 16, 20266 min read
Cloud Security

Connecting build, deploy, and runtime security into one AppSec lifecycle

The XZ Utils backdoor (CVE-2024-3094) was found in the build chain; most tools that would have caught it stop at deploy. Here's how to close that gap.

Jul 11, 20267 min read
AI Security

Signing and provenance standards for AI agent skill registries

Shai-Hulud infected 500+ npm packages via stolen tokens in 2025. Agent skill registries are repeating the same unsigned-artifact mistake — here's the fix.

Jul 9, 20267 min read
Best Practices

Verifying open source package provenance with SLSA and Sigstore

A maintainer account takeover hid a backdoor in xz-utils for years. SLSA provenance and Sigstore signing are how you catch the next one before it ships.

Jul 9, 20267 min read
Open Source Security

How to publish a secure Python package: signing, SBOMs, and trusted publishing

PyPI enforced two-factor authentication for all users on January 1, 2024 — but 2FA alone doesn't stop a stolen API token. Here's the full secure-publishing stack.

Jul 8, 20267 min read
Container Security

Sigstore vs. Notary v2 vs. Docker Content Trust: signing containers in 2026

Docker retires Content Trust on December 8, 2026, while fewer than 0.05% of Hub pulls ever used it — here's how Sigstore and Notary v2 actually replaced it.

Jul 8, 20267 min read
Supply Chain Attacks

Anatomy of an npm Build-Pipeline Hijack That Shipped a Cross-Platform RAT

One stolen npm token, three malicious releases, four hours online — and 8 million weekly downloads exposed to a cross-platform credential stealer.

Jul 8, 20266 min read
Open Source Security

Inside OpenSSF's priority stack: SBOM, Scorecard, and Sigstore

OpenSSF now runs eight technical initiative areas and four flagship projects — most teams have heard of one and adopted none. Here's what's actually worth doing first.

Jul 8, 20267 min read
Supply Chain Attacks

Anatomy of a PyPI Compromise: How durabletask Got Hijacked in 35 Minutes

Three malicious durabletask releases hit PyPI in a 35-minute window in May 2026 — a maintainer-token theft, not a code review failure.

Jul 8, 20266 min read
Supply Chain Security

Securing SBOM storage and distribution in cloud environments

GitGuardian found 23.77 million secrets exposed on public GitHub in 2024 alone — an unprotected SBOM repository is the same mistake, just with your dependency tree instead.

Jul 8, 20267 min read
Supply Chain Security

A vendor-neutral framework for software supply chain security tools

Supply chain tooling splits into four distinct categories with different failure modes — the xz-utils backdoor slipped past most of them for over two years.

Jul 8, 20266 min read
Container Security

Kubernetes Supply Chain Security: Trusting What You Deploy

The path from a git commit to a running pod crosses a dozen systems, each a place to inject malicious code. Here is how to build a chain of custody Kubernetes will actually verify.

Jul 7, 20265 min read
sigstore — Safeguard Blog