supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
GitHub Actions Immutable Actions GA: Why OCI-Backed Action Distribution Closes the tj-actions Class of Attack
GitHub's 2026 roadmap puts Immutable Actions GA at the center of Actions supply-chain hardening, publishing actions as OCI artifacts with hash-mismatch fail-fast and full composite-action visibility.
Rust Cargo Supply Chain Defence Program
A 2026 defence program for Rust and Cargo — covering crates.io, build scripts, proc-macros, and binary provenance — anchored by Safeguard policy gates.
Unifying Software And AI Assets In One Graph
Two parallel inventories for software and AI assets do not survive contact with reality. A unified graph is what makes governance feasible.
FedRAMP Continuous Monitoring: Supply Chain Controls
FedRAMP's continuous monitoring requirements now include supply chain risk. Learn how to produce monthly evidence aligned with NIST SP 800-161 controls.
OCI Artifact Signing Rollout Program
A program plan for getting OCI artifact signing across an organisation: trust roots, key custody, build integrations, registry policy, and the inevitable cleanup of unsigned legacy content.
SBOM Quality: Fields Auditors Actually Check
Auditors do not score SBOMs on file count. They check a small set of fields that prove the artefact is real, current, and tied to a verifiable build. Here are the ones that matter.
MSI Graphics Driver Supply Chain Breach 2023: Lessons
The MSI breach exposed Intel BootGuard private keys and OEM signing infrastructure. A look at firmware-level supply chain risk and the gaps that remain.
Griffin AI vs Open Weights: Supply Chain Risks
Open-weight models give you total deployment control. They also give you a new supply chain to secure. The tradeoff is worth being explicit about.
npm Garbage Collection Abuse: Attack Research
npm's unpublish and tarball retention rules create a narrow but real window for attackers to reclaim deleted names and swap tarball contents. Here is the 2025 research.
SBOM Drift Detection Playbook for 2026
A practical playbook for detecting and responding to SBOM drift between source, build, and runtime, with the patterns that separate signal from noise.
CycloneDX 1.7 Migration Guide From 1.5
A practical migration path from CycloneDX 1.5 to 1.7 covering schema changes, machine learning BOM additions, formulation, and the tooling adjustments required.
CI/CD Platform Attack Trends 2026
CI/CD platforms have become high-value supply chain targets. We analyze 2026 attack trends, including runner abuse, action poisoning, and OIDC token theft.