slsa
Safeguard articles tagged "slsa" — guides, analysis, and best practices for software supply chain and application security.
77 articles
Software Supply Chain Threat Protection: A Framework
Software supply chain threat protection means securing the build pipeline and dependency graph itself, not just the code you write — provenance, signing, and SBOMs are the load-bearing pieces.
Why SLSA Level 3 Matters (and Level 4 Usually Doesn't)
SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.
SLSA v1.1 Framework Update: What's New
SLSA v1.1 sharpens the build track, adds a source track draft, and clarifies attestation semantics. Here is the practical guide for security teams.
Best practices for securing the software supply chain
From the xz backdoor to SolarWinds, real incidents show why SBOMs, build provenance, and continuous monitoring matter more than scanning alone.
How to Implement SLSA Level 3 Practically
SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.
GitHub Actions Cache Poisoning Attack Class 2025
GitHub Actions caches were never designed as a trust boundary. In 2025 researchers turned that mismatch into a repeatable supply-chain attack pattern.
Software Signing and Code Integrity in 2026: The Practical State of Play
Where software signing stands today, what Sigstore and friends changed, and why most organizations still ship unsigned artifacts.
What is In-toto Attestation
In-toto attestation is a signed, verifiable record of how software was built. Here's how the format works, how it differs from an SBOM, and where it's used today.
What is Software Provenance
Software provenance proves where an artifact came from and how it was built. Learn what it is, why it matters, and how to verify it with SLSA and Sigstore.
What is an Attestation (Software Security)
Software attestations are signed, verifiable proofs of how code was built and secured — now a legal requirement for US federal software vendors since March 2024.
Build provenance
What is build provenance and why does it matter? A practical guide to SLSA attestations, provenance predicates, and verification pipelines for software supply chains.
in-toto Attestation Framework Walkthrough 2026
A working engineer's tour of in-toto in 2026: layouts, links, the attestation predicate ecosystem, and how it composes with SLSA, sigstore, and SBOMs.