Safeguard
Tag

slsa

Safeguard articles tagged "slsa" — guides, analysis, and best practices for software supply chain and application security.

77 articles

Supply Chain Security

A four-surface framework for software supply-chain risk

Supply-chain attacks are up 650% year over year, per the SLSA framework — yet most teams still map risk to one surface instead of four.

Jul 14, 20267 min read
Supply Chain Security

The NSA/CISA Enduring Security Framework Guide for Developers, Reviewed

NSA, CISA, and ODNI published developer supply-chain guidance in August 2022 — four years on, here's what it actually asks of your pipeline.

Jul 13, 20267 min read
Cloud Security

Connecting build, deploy, and runtime security into one AppSec lifecycle

The XZ Utils backdoor (CVE-2024-3094) was found in the build chain; most tools that would have caught it stop at deploy. Here's how to close that gap.

Jul 11, 20267 min read
AI Security

Signing and provenance standards for AI agent skill registries

Shai-Hulud infected 500+ npm packages via stolen tokens in 2025. Agent skill registries are repeating the same unsigned-artifact mistake — here's the fix.

Jul 9, 20267 min read
Best Practices

Verifying open source package provenance with SLSA and Sigstore

A maintainer account takeover hid a backdoor in xz-utils for years. SLSA provenance and Sigstore signing are how you catch the next one before it ships.

Jul 9, 20267 min read
Container Security

Sigstore vs. Notary v2 vs. Docker Content Trust: signing containers in 2026

Docker retires Content Trust on December 8, 2026, while fewer than 0.05% of Hub pulls ever used it — here's how Sigstore and Notary v2 actually replaced it.

Jul 8, 20267 min read
DevSecOps

DevSecOps on AWS: a reference architecture for CI/CD security gates

Amazon Inspector, CodePipeline manual approvals, and SLSA v1.0 (April 2023) give you the primitives — but nobody ships them wired together as one gated pipeline.

Jul 8, 20266 min read
DevSecOps

Hardening CI/CD Pipelines End to End

A leaked Codecov credential let attackers read CI secrets from 23,000+ customers for two months in 2021. Here's how to close every stage of that gap.

Jul 8, 20268 min read
Supply Chain Attacks

Anatomy of an npm Build-Pipeline Hijack That Shipped a Cross-Platform RAT

One stolen npm token, three malicious releases, four hours online — and 8 million weekly downloads exposed to a cross-platform credential stealer.

Jul 8, 20266 min read
Open Source Security

Inside OpenSSF's priority stack: SBOM, Scorecard, and Sigstore

OpenSSF now runs eight technical initiative areas and four flagship projects — most teams have heard of one and adopted none. Here's what's actually worth doing first.

Jul 8, 20267 min read
Supply Chain Security

A vendor-neutral framework for software supply chain security tools

Supply chain tooling splits into four distinct categories with different failure modes — the xz-utils backdoor slipped past most of them for over two years.

Jul 8, 20266 min read
Supply Chain Security

Software supply chain attacks in 2026: what's actually changed

A single compromised maintainer token in March 2025 exposed secrets across 23,000+ repositories — supply chain attacks now target the pipeline, not just the package.

Jul 8, 20266 min read
slsa — Safeguard Blog