Safeguard
Tag

slsa

Safeguard articles tagged "slsa" — guides, analysis, and best practices for software supply chain and application security.

77 articles

Build Security

Software Attestation Frameworks Compared: SLSA, in-toto, and Sigstore

Software attestation proves that your artifacts were built the way you claim. Here is a practical comparison of SLSA, in-toto, and Sigstore for securing your build pipeline.

Sep 25, 20258 min read
SBOM

Third-Party SBOM Trust: Can You Verify a Vendor's Bill of...

A vendor's SBOM is a claim, not proof. Here's what actually verifies third-party software bills of materials — and why signatures alone aren't enough.

Jul 28, 20258 min read
Frameworks

Software Supply Chain Security Maturity: Where Does Your Organization Stand?

Most organizations know they should care about software supply chain security, but few have a structured way to assess their maturity. A practical framework for evaluating and improving your posture.

Jun 1, 20258 min read
Frameworks

SLSA v1.1 Build Track: What Approved Means for Adopters

SLSA v1.1 was approved in April 2025 with the Build track stabilized. We dig into the spec changes, what L2 and L3 verifiers must reject, and how producers should re-evaluate provenance.

May 8, 20257 min read
Best Practices

Zero Trust Principles Applied to the Software Supply Chain

Zero trust is not just a network architecture concept. Applied to the software supply chain, it fundamentally changes how organizations verify code, dependencies, and build processes.

Nov 25, 20247 min read
SBOM & Compliance

Provenance Attestation Consumer Workflow

Generating provenance is half the story. Consuming it correctly, at the right points in the pipeline, is where the security value actually materialises.

Nov 20, 20247 min read
SBOM & Compliance

SLSA Build Provenance for Python Publish

Python packages on PyPI can carry SLSA provenance via PEP 740. Here is the publish workflow, the verification story, and the parts that still do not quite fit together.

Oct 15, 20247 min read
DevSecOps

How to Validate SLSA Provenance in CI

Generate and validate SLSA v1.0 provenance attestations in GitHub Actions using slsa-verifier, gate releases on builder identity, and prove build integrity.

Sep 14, 20244 min read
SBOM & Compliance

SLSA Builder Requirements in Production

The SLSA specification sets explicit requirements for builders at each level. Here is what those requirements actually mean when you operate a builder in production.

Aug 28, 20247 min read
SBOM & Compliance

in-toto Attestation Formats Reviewed

The in-toto attestation framework is the plumbing under SLSA, Sigstore, and most supply chain tooling. Here is a practical review of the v1 formats and their edges.

Jun 28, 20246 min read
SBOM & Compliance

SLSA for Go Releases: A Practical Guide

Go's build model makes SLSA provenance more tractable than most ecosystems. Here is the practical guide for producing and verifying provenance on Go releases.

May 15, 20246 min read
Engineering

SLSA Level 3 in Practice: What It Takes

SLSA Build L3 is achievable in a week per repo if you use a hosted builder — and nearly impossible if you insist on rolling your own. Here is the practical path.

Apr 19, 20246 min read
slsa (Page 5) — Safeguard Blog