Safeguard
Tag

slsa

Safeguard articles tagged "slsa" — guides, analysis, and best practices for software supply chain and application security.

77 articles

Software Supply Chain Security

How to implement software supply chain security with SLSA

A step-by-step guide to implement SLSA supply chain security: map risk, generate signed provenance, and enforce verification before deploy.

Feb 17, 20268 min read
Software Supply Chain Security

SLSA Level 3 Implementation Blueprint 2026

A practical blueprint for reaching SLSA Level 3 in 2026: hosted builders, provenance generation, verification gates, and the operational habits that hold the line.

Feb 15, 20266 min read
Engineering

npm Provenance Statements: What They Prove and What They Don't

npm provenance ties a package to the commit and CI run that built it. That's genuinely useful — and narrower than most teams assume. Here's the exact boundary.

Feb 11, 20266 min read
Software Supply Chain Security

What is Reproducible Builds

Reproducible builds let anyone recompile source code and cryptographically verify the binary matches — closing the gap attackers exploit when they compromise build systems, not source code.

Feb 3, 20268 min read
Architecture

Safeguard Gold Build Pipeline: How It Works

A walkthrough of the Gold Build pipeline that produces reproducible, attested, policy-verified container images and binaries for Safeguard customers.

Jan 28, 20267 min read
Industry Analysis

State of Software Supply Chain Security 2026

A senior-engineer view of where software supply chain security stands in 2026: what's changed, what's stuck, and where budgets, regulations, and attacker tactics converge.

Jan 25, 20269 min read
Engineering

Reproducible Builds: Why Bit-for-Bit Identical Matters

If two builds of the same source produce different binaries, you cannot prove what you shipped. How determinism breaks, the flags that fix it, and why auditors care.

Dec 4, 20256 min read
Frameworks

SLSA v1.2 Source Track: What Changed in November 2025

SLSA v1.2 was approved in November 2025 and finally completes the Source Track that v0.1 only sketched. We break down the new source levels and what producers must change.

Nov 20, 20256 min read
Industry Analysis

Best SLSA-compliant build systems

A fair comparison of SLSA compliant build systems—GitHub Actions, Cloud Build, GitLab, Tekton Chains—with real strengths and limitations for Build Level 3.

Nov 18, 20258 min read
Open Source Security

npm Provenance: Adoption Tracking in Late 2025

Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.

Nov 12, 20254 min read
Build Security

Software Provenance: An End-to-End Guide

Provenance answers where software came from and how it was built. Here is how to implement end-to-end provenance tracking from source to deployment.

Nov 5, 20256 min read
Concepts

What is Binary Provenance

Binary provenance is verifiable metadata proving which source, builder, and process produced an artifact — the paper trail that makes 'where did this come from' answerable.

Oct 9, 20256 min read
slsa (Page 4) — Safeguard Blog