Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

Emerging Technology

Confused Deputy Attacks on CI/CD Service Accounts

Build systems hold broad trust and tight deadlines, which makes them perfect confused deputies. Here is how the attack pattern shows up in modern CI/CD and how to defang it.

Mar 15, 20268 min read
SBOM & Compliance

AI-BOM And EU AI Act Article 10 Data Governance

Article 10 turns training data governance into a legal obligation. AI-BOM is how you prove it. A practical mapping of what the regulation expects to what the artefact captures.

Mar 14, 20267 min read
Container Security

Chiseled / Distroless Image Rollout Program

What it takes to standardise on chiseled and distroless container images across an engineering organisation: which workloads benefit, which do not, and how to handle the operational quirks of imageless containers.

Mar 14, 20267 min read
Regulatory Compliance

HIPAA Supply Chain Evidence For Business Associates

HIPAA Security Rule expectations now reach into the software supply chain. Learn how Business Associates can produce evidence that satisfies OCR scrutiny.

Mar 14, 20267 min read
Threat Intelligence

APT29 Cloud Supply Chain Tradecraft 2025

APT29's 2024-2025 cloud-native tradecraft — from Midnight Blizzard's Microsoft intrusion to the Teams phishing pivots — shows how SVR targets identity as supply chain.

Mar 14, 20267 min read
Compliance

CMMC Level 3 Software Supply Chain Checklist 2026

A senior engineer's CMMC Level 3 checklist focused on software supply chain: SBOM, SC-SR controls, SSP evidence, and the operational gaps most defense contractors still have.

Mar 14, 20268 min read
Regulatory Compliance

FedRAMP High Supply Chain Controls in 2026

Rev 5 controls are the operative baseline, and the SR control family is where most FedRAMP High authorizations are now spending their assessor time in 2026.

Mar 14, 20265 min read
Best Practices

How to Prevent Dependency Confusion in npm (2026)

Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.

Mar 13, 20267 min read
Supply Chain Attacks

Ledger Connect Kit December 2023: A CDN Attack Retrospective

The Ledger Connect Kit compromise was a five-hour CDN attack that drained roughly $600k from connected wallets. A look at how it happened and what defenders learned.

Mar 12, 20265 min read
Tool Comparison

Sonatype IQ Server 2026: Repository Firewall in Review

Sonatype Lifecycle's IQ Server ships weekly to cloud and monthly to self-hosted in 2026. We tracked the Repository Firewall changes and compared against JFrog Curation.

Mar 12, 20267 min read
Best Practices

Best SCA Tools for Enterprise: 2026 Comparison

A fact-based 2026 review of the best Software Composition Analysis tools for enterprise teams, covering depth, reachability, remediation, and compliance.

Mar 12, 20268 min read
DevSecOps

GitHub Actions Supply Chain Hardening Checklist 2026

A pragmatic 2026 hardening checklist for GitHub Actions: OIDC, pinned actions, environment protection, reusable workflows, and the controls that actually move risk.

Mar 12, 20265 min read
supply-chain (Page 17) — Safeguard Blog