Safeguard
Tag

slsa

Safeguard articles tagged "slsa" — guides, analysis, and best practices for software supply chain and application security.

77 articles

SBOM & Compliance

SLSA Build L1 to L3 Migration Playbook

Moving from SLSA Build L1 to L3 is less a single upgrade and more a series of hardening steps. Here is the playbook we use with customers, mapped to the v1.0 specification.

Mar 25, 20247 min read
Concepts

What is a Software Attestation

A software attestation is a signed, machine-readable claim about an artifact — who built it, what it contains, which checks it passed — that a machine can verify before trusting it.

Mar 10, 20246 min read
Open Source Security

How to Publish an npm Package With Provenance

A step-by-step tutorial for publishing npm packages with provenance attestations so your consumers can cryptographically verify the build source.

Mar 8, 20246 min read
Industry Analysis

RSA Conference 2023 Supply Chain Track: Field Notes

Five takeaways from the supply chain sessions at RSA Conference 2023, from SBOM adoption skepticism to attestation tooling and federal procurement pressure.

Oct 18, 20235 min read
Supply Chain Attacks

SLSA v1.0: Software Provenance Attestation Goes Mainstream

The SLSA framework reached v1.0 in April 2023, providing a practical framework for software supply chain integrity that's already being adopted by major package registries.

Sep 10, 20235 min read
Best Practices

Reproducible Builds in the Go Ecosystem

Go's toolchain makes reproducible builds unusually tractable. Here is how to reach bit-for-bit builds across machines in 2023, and where the rough edges remain.

Jul 20, 20235 min read
Case Studies

How Google Secures Its Software Supply Chain

An inside look at Google's multi-layered approach to supply chain security, from Binary Authorization to SLSA, and what other organizations can adapt from their model.

May 8, 20237 min read
DevSecOps

SLSA v1.0: Supply-chain Levels for Software Artifacts Reaches Maturity

SLSA v1.0 simplifies the framework and makes it practical to adopt. Here's what changed and how to implement it.

May 1, 20236 min read
DevSecOps

Software Attestation in Practice: From Theory to Implementation

Software attestation is moving from academic concept to practical requirement. Here's how to implement it in your build pipelines today.

Apr 8, 20236 min read
Security Architecture

Defense in Depth for the Software Supply Chain

No single control stops supply chain attacks. Defense in depth — layered controls across the entire software lifecycle — is the only strategy that works against sophisticated adversaries.

Feb 15, 20235 min read
Regulatory Compliance

SLSA vs SSDF vs S2C2F: Framework Comparison

Three supply chain integrity frameworks. Three different authors. Three different audiences. A practical comparison of SLSA, NIST SSDF, and Microsoft S2C2F for teams picking one.

Aug 30, 20227 min read
DevSecOps

Build Artifact Integrity Verification: From Source to Deployment

If you cannot verify that your deployed artifact matches your reviewed source code, your entire code review process is security theater. Here is how to close that gap.

Aug 28, 20226 min read
slsa (Page 6) — Safeguard Blog