slsa
Safeguard articles tagged "slsa" — guides, analysis, and best practices for software supply chain and application security.
77 articles
How to implement software supply chain security with SLSA
A step-by-step guide to implement SLSA supply chain security: map risk, generate signed provenance, and enforce verification before deploy.
SLSA Level 3 Implementation Blueprint 2026
A practical blueprint for reaching SLSA Level 3 in 2026: hosted builders, provenance generation, verification gates, and the operational habits that hold the line.
npm Provenance Statements: What They Prove and What They Don't
npm provenance ties a package to the commit and CI run that built it. That's genuinely useful — and narrower than most teams assume. Here's the exact boundary.
What is Reproducible Builds
Reproducible builds let anyone recompile source code and cryptographically verify the binary matches — closing the gap attackers exploit when they compromise build systems, not source code.
Safeguard Gold Build Pipeline: How It Works
A walkthrough of the Gold Build pipeline that produces reproducible, attested, policy-verified container images and binaries for Safeguard customers.
State of Software Supply Chain Security 2026
A senior-engineer view of where software supply chain security stands in 2026: what's changed, what's stuck, and where budgets, regulations, and attacker tactics converge.
Reproducible Builds: Why Bit-for-Bit Identical Matters
If two builds of the same source produce different binaries, you cannot prove what you shipped. How determinism breaks, the flags that fix it, and why auditors care.
SLSA v1.2 Source Track: What Changed in November 2025
SLSA v1.2 was approved in November 2025 and finally completes the Source Track that v0.1 only sketched. We break down the new source levels and what producers must change.
Best SLSA-compliant build systems
A fair comparison of SLSA compliant build systems—GitHub Actions, Cloud Build, GitLab, Tekton Chains—with real strengths and limitations for Build Level 3.
npm Provenance: Adoption Tracking in Late 2025
Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.
Software Provenance: An End-to-End Guide
Provenance answers where software came from and how it was built. Here is how to implement end-to-end provenance tracking from source to deployment.
What is Binary Provenance
Binary provenance is verifiable metadata proving which source, builder, and process produced an artifact — the paper trail that makes 'where did this come from' answerable.