Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

Supply Chain

GitHub Actions Immutable Actions GA: Why OCI-Backed Action Distribution Closes the tj-actions Class of Attack

GitHub's 2026 roadmap puts Immutable Actions GA at the center of Actions supply-chain hardening, publishing actions as OCI artifacts with hash-mismatch fail-fast and full composite-action visibility.

Mar 25, 20266 min read
Open Source Security

Rust Cargo Supply Chain Defence Program

A 2026 defence program for Rust and Cargo — covering crates.io, build scripts, proc-macros, and binary provenance — anchored by Safeguard policy gates.

Mar 25, 20267 min read
Best Practices

Unifying Software And AI Assets In One Graph

Two parallel inventories for software and AI assets do not survive contact with reality. A unified graph is what makes governance feasible.

Mar 25, 20267 min read
Regulatory Compliance

FedRAMP Continuous Monitoring: Supply Chain Controls

FedRAMP's continuous monitoring requirements now include supply chain risk. Learn how to produce monthly evidence aligned with NIST SP 800-161 controls.

Mar 24, 20266 min read
Container Security

OCI Artifact Signing Rollout Program

A program plan for getting OCI artifact signing across an organisation: trust roots, key custody, build integrations, registry policy, and the inevitable cleanup of unsigned legacy content.

Mar 24, 20267 min read
SBOM & Compliance

SBOM Quality: Fields Auditors Actually Check

Auditors do not score SBOMs on file count. They check a small set of fields that prove the artefact is real, current, and tied to a verifiable build. Here are the ones that matter.

Mar 24, 20266 min read
Incident Analysis

MSI Graphics Driver Supply Chain Breach 2023: Lessons

The MSI breach exposed Intel BootGuard private keys and OEM signing infrastructure. A look at firmware-level supply chain risk and the gaps that remain.

Mar 24, 20265 min read
AI Security

Griffin AI vs Open Weights: Supply Chain Risks

Open-weight models give you total deployment control. They also give you a new supply chain to secure. The tradeoff is worth being explicit about.

Mar 23, 20263 min read
Emerging Technology

npm Garbage Collection Abuse: Attack Research

npm's unpublish and tarball retention rules create a narrow but real window for attackers to reclaim deleted names and swap tarball contents. Here is the 2025 research.

Mar 23, 20268 min read
SBOM

SBOM Drift Detection Playbook for 2026

A practical playbook for detecting and responding to SBOM drift between source, build, and runtime, with the patterns that separate signal from noise.

Mar 22, 20266 min read
SBOM

CycloneDX 1.7 Migration Guide From 1.5

A practical migration path from CycloneDX 1.5 to 1.7 covering schema changes, machine learning BOM additions, formulation, and the tooling adjustments required.

Mar 22, 20265 min read
Industry Analysis

CI/CD Platform Attack Trends 2026

CI/CD platforms have become high-value supply chain targets. We analyze 2026 attack trends, including runner abuse, action poisoning, and OIDC token theft.

Mar 21, 20267 min read
supply-chain (Page 14) — Safeguard Blog