Tag
slsa-provenance
Safeguard articles tagged "slsa-provenance" — guides, analysis, and best practices for software supply chain and application security.
3 articles
Software Supply Chain Security
TanStack's Build Pipeline Got Hijacked and Still Signed Valid SLSA Provenance (May 2026)
On May 11, 2026, attackers chained a pull_request_target abuse, cache poisoning, and OIDC token theft to publish 84 malicious @tanstack npm versions from TanStack's own trusted pipeline. It is the first npm compromise to carry valid SLSA provenance.
May 15, 202611 min read
SBOM
Generating SBOMs and provenance with GCP Artifact Analysis
A step-by-step guide to GCP SBOM generation using Artifact Analysis: scan container images, export SPDX/CycloneDX SBOMs, and attach SLSA provenance attestations.
Jan 11, 20267 min read
DevSecOps
Securing Cloud Build pipelines and generating SLSA proven...
How to secure Cloud Build supply chain security with least-privilege service accounts and SLSA provenance so tampered builds never reach production.
Jan 10, 20267 min read