software-provenance
Safeguard articles tagged "software-provenance" — guides, analysis, and best practices for software supply chain and application security.
6 articles
Malicious code in scoped npm packages: what the Miasma attack teaches
32 releases under the trusted @redhat-cloud-services npm scope shipped credential-stealing malware in June 2026 — with valid SLSA provenance attached.
What Is Software Provenance?
Software provenance is the verifiable record of where an artifact came from and how it was built. Here's what a provenance record contains, how it is proven, and why it stops build-time tampering.
What Is SLSA (Supply-chain Levels for Software Artifacts)
SLSA verifies how software was built, not just what is inside it. Here is what the four build levels mean and how it differs from SBOM-only tooling.
What is Software Provenance
Software provenance proves where an artifact came from and how it was built. Learn what it is, why it matters, and how to verify it with SLSA and Sigstore.
Best software provenance verification tools
A practical, no-fluff comparison of software provenance verification tools — Sigstore, in-toto, GitHub Attestations, JFrog, Chainguard, and Kosli — plus what to evaluate before you buy.
Why 'We Have an SBOM' Isn't the Same as 'We Are Secure'
An SBOM tells you what's in your software, not whether it's safe. Here's why inventory alone can't stop supply chain attacks like XZ Utils or SolarWinds.