Safeguard
Tag

sigstore

Safeguard articles tagged "sigstore" — guides, analysis, and best practices for software supply chain and application security.

78 articles

Open Source Security

Sigstore Reaches GA: Free Software Signing for Everyone

Sigstore's general availability in October 2022 made cryptographic signing accessible to every developer. Here's why this is a watershed moment.

Oct 15, 20226 min read
Kubernetes Security

Kubernetes Supply Chain Policy Engines: Enforcing What Gets Deployed

Scanning for vulnerabilities means nothing if you cannot enforce the results. Supply chain policy engines in Kubernetes turn security findings into hard deployment gates.

Jun 8, 20226 min read
DevSecOps

Software Provenance Tracking: From Source to Production

Software provenance answers the question: where did this code come from, who built it, and can I trust it? In 2022, provenance tracking moved from academic concept to practical necessity.

May 28, 20226 min read
Supply Chain Security

OCI Artifact Signing Standards: Making Sense of the Landscape

Container image signing has gone through multiple iterations. Here is where the OCI standards stand now and what you need to implement.

May 12, 20225 min read
Best Practices

A First-Principles Guide to Artifact Signing in 2022

Artifact signing is having a moment, but most teams skip the fundamentals. Here is the first-principles case for why you sign, what you sign, and who verifies.

Mar 20, 20226 min read
DevSecOps

Sigstore and Cosign: Software Signing for the Rest of Us

Sigstore makes software signing accessible by eliminating the pain of key management. Here's how Cosign, Fulcio, and Rekor work together to verify software integrity.

Oct 25, 20216 min read
sigstore (Page 7) — Safeguard Blog