supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Confused Deputy Attacks on CI/CD Service Accounts
Build systems hold broad trust and tight deadlines, which makes them perfect confused deputies. Here is how the attack pattern shows up in modern CI/CD and how to defang it.
AI-BOM And EU AI Act Article 10 Data Governance
Article 10 turns training data governance into a legal obligation. AI-BOM is how you prove it. A practical mapping of what the regulation expects to what the artefact captures.
Chiseled / Distroless Image Rollout Program
What it takes to standardise on chiseled and distroless container images across an engineering organisation: which workloads benefit, which do not, and how to handle the operational quirks of imageless containers.
HIPAA Supply Chain Evidence For Business Associates
HIPAA Security Rule expectations now reach into the software supply chain. Learn how Business Associates can produce evidence that satisfies OCR scrutiny.
APT29 Cloud Supply Chain Tradecraft 2025
APT29's 2024-2025 cloud-native tradecraft — from Midnight Blizzard's Microsoft intrusion to the Teams phishing pivots — shows how SVR targets identity as supply chain.
CMMC Level 3 Software Supply Chain Checklist 2026
A senior engineer's CMMC Level 3 checklist focused on software supply chain: SBOM, SC-SR controls, SSP evidence, and the operational gaps most defense contractors still have.
FedRAMP High Supply Chain Controls in 2026
Rev 5 controls are the operative baseline, and the SR control family is where most FedRAMP High authorizations are now spending their assessor time in 2026.
How to Prevent Dependency Confusion in npm (2026)
Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.
Ledger Connect Kit December 2023: A CDN Attack Retrospective
The Ledger Connect Kit compromise was a five-hour CDN attack that drained roughly $600k from connected wallets. A look at how it happened and what defenders learned.
Sonatype IQ Server 2026: Repository Firewall in Review
Sonatype Lifecycle's IQ Server ships weekly to cloud and monthly to self-hosted in 2026. We tracked the Repository Firewall changes and compared against JFrog Curation.
Best SCA Tools for Enterprise: 2026 Comparison
A fact-based 2026 review of the best Software Composition Analysis tools for enterprise teams, covering depth, reachability, remediation, and compliance.
GitHub Actions Supply Chain Hardening Checklist 2026
A pragmatic 2026 hardening checklist for GitHub Actions: OIDC, pinned actions, environment protection, reusable workflows, and the controls that actually move risk.