Safeguard
Tag

slsa

Safeguard articles tagged "slsa" — guides, analysis, and best practices for software supply chain and application security.

77 articles

Supply Chain

Software Supply Chain Threat Protection: A Framework

Software supply chain threat protection means securing the build pipeline and dependency graph itself, not just the code you write — provenance, signing, and SBOMs are the load-bearing pieces.

Apr 8, 20265 min read
Software Supply Chain Security

Why SLSA Level 3 Matters (and Level 4 Usually Doesn't)

SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.

Apr 5, 20268 min read
Regulatory Compliance

SLSA v1.1 Framework Update: What's New

SLSA v1.1 sharpens the build track, adds a source track draft, and clarifies attestation semantics. Here is the practical guide for security teams.

Mar 30, 20266 min read
Industry Analysis

Best practices for securing the software supply chain

From the xz backdoor to SolarWinds, real incidents show why SBOMs, build provenance, and continuous monitoring matter more than scanning alone.

Mar 26, 20267 min read
Best Practices

How to Implement SLSA Level 3 Practically

SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.

Mar 20, 20267 min read
Emerging Technology

GitHub Actions Cache Poisoning Attack Class 2025

GitHub Actions caches were never designed as a trust boundary. In 2025 researchers turned that mismatch into a repeatable supply-chain attack pattern.

Mar 17, 20268 min read
Industry Trends

Software Signing and Code Integrity in 2026: The Practical State of Play

Where software signing stands today, what Sigstore and friends changed, and why most organizations still ship unsigned artifacts.

Mar 8, 20267 min read
Software Supply Chain Security

What is In-toto Attestation

In-toto attestation is a signed, verifiable record of how software was built. Here's how the format works, how it differs from an SBOM, and where it's used today.

Mar 6, 20267 min read
Software Supply Chain Security

What is Software Provenance

Software provenance proves where an artifact came from and how it was built. Learn what it is, why it matters, and how to verify it with SLSA and Sigstore.

Mar 5, 20267 min read
Software Supply Chain Security

What is an Attestation (Software Security)

Software attestations are signed, verifiable proofs of how code was built and secured — now a legal requirement for US federal software vendors since March 2024.

Mar 5, 20267 min read
Software Supply Chain Security

Build provenance

What is build provenance and why does it matter? A practical guide to SLSA attestations, provenance predicates, and verification pipelines for software supply chains.

Mar 3, 20267 min read
Software Supply Chain Security

in-toto Attestation Framework Walkthrough 2026

A working engineer's tour of in-toto in 2026: layouts, links, the attestation predicate ecosystem, and how it composes with SLSA, sigstore, and SBOMs.

Mar 2, 20265 min read
slsa (Page 3) — Safeguard Blog