Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

SBOM & Compliance

VEX Statements: Eliminating SBOM Noise In 2026

An SBOM without VEX is a noise machine. Here is how disciplined VEX authoring cuts vulnerability backlogs by 70-90% while improving defensibility, not weakening it.

Mar 19, 20266 min read
DevSecOps

GitLab CI Supply Chain Hardening Checklist 2026

A 2026 hardening checklist for GitLab CI: ID tokens, protected branches, runner isolation, included templates, and the controls that actually shrink blast radius.

Mar 19, 20265 min read
Best Practices

Dev Containers Security Baseline for 2026

A practical security baseline for devcontainer.json files in 2026, covering base image selection, features, lifecycle scripts, and the supply chain controls that actually matter.

Mar 19, 20266 min read
Emerging Technology

GitHub Actions Cache Poisoning Attack Class 2025

GitHub Actions caches were never designed as a trust boundary. In 2025 researchers turned that mismatch into a repeatable supply-chain attack pattern.

Mar 17, 20268 min read
Incident Analysis

Docker Hub Exposed Secrets at Scale 2024

Researchers keep finding valid AWS, GitHub, and cloud credentials baked into public Docker Hub images. What the 2024 data shows and how to stop shipping secrets.

Mar 17, 20268 min read
Industry Analysis

Container Image Supply Chain Incidents 2026

Container image supply chain incidents have grown in frequency and impact. We analyze the 2026 patterns, the registry tradecraft, and what defenders should change.

Mar 16, 20267 min read
Best Practices

Automating License Policy: Blocking AGPL At PR

License risk that surfaces at release time is already too late. PR-time license policy turns an open-ended legal review into an automated, predictable check.

Mar 16, 20268 min read
AI Security

Proof-Of-Concept Payloads From Discovered Paths

A taint path is not an exploit. Here is how a zero-day pipeline turns a reachable flow into a defensible proof-of-concept payload without inventing a vulnerability.

Mar 16, 20267 min read
Best Practices

Fourth-Party Risk: The Supply Chain Of Vendors

Your vendors have vendors. Most TPRM programs stop at the third party and miss the fourth-party blast radius. Mapping the full chain is now a board-level expectation.

Mar 15, 20267 min read
Open Source Security

Ruby / Bundler Supply Chain Program 2026

A 2026 supply chain program for Ruby and Bundler — covering RubyGems, Gemfile.lock, native extensions, and Rails — anchored by Safeguard policy gates.

Mar 15, 20267 min read
Best Practices

Runtime Asset Attribution: Pods To Services

Mapping a running pod back to a service, repo, owner, and SBOM is the boring infrastructure that makes every other security control useful.

Mar 15, 20267 min read
Best Practices

Best SBOM Management Platforms 2026 Review

A 2026 review of the best SBOM management platforms, comparing Dependency-Track, Anchore, Kusari, and Safeguard on depth and compliance.

Mar 15, 20267 min read
supply-chain (Page 16) — Safeguard Blog