Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

Incident Analysis

tj-actions Compromise: One Year Retrospective

A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?

Mar 12, 20268 min read
Industry Analysis

Code Signing Key Theft Trend Watch

Code signing key theft has surged across 2025 and 2026. We trace the recurring incident patterns, the operator tradecraft, and the structural defenses that work.

Mar 11, 20268 min read
Best Practices

Signed Artifact Policy Enforcement In 2026

Signing artifacts is necessary but not sufficient. The policy that verifies signatures, attestations, and trust roots is what turns signing into a security control.

Mar 11, 20268 min read
AI Security

Zero-Day Discovery Economics: Cost Per Find

The economics of zero-day discovery have been opaque for too long. Here is the actual cost structure of finding a real, defensible bug, and how to think about it.

Mar 11, 20267 min read
DevSecOps

GitHub Codespaces and Supply Chain Risk in 2026

Codespaces shifts development from the laptop to the cloud, which changes the supply chain threat model in ways most teams have not fully thought through.

Mar 11, 20266 min read
Supply Chain Attacks

VS Code Marketplace Malware Campaigns in 2025

A senior engineer's review of the 2025 VS Code Marketplace malware wave, including typosquats, trojanized themes, and extensions that stole npm tokens at scale.

Mar 11, 20267 min read
Best Practices

Asset Discovery As CMDB Replacement In 2026

The traditional CMDB cannot keep up with cloud, AI, and agent workloads. Continuous discovery is the only model that survives 2026.

Mar 10, 20267 min read
Open Source Security

PHP / Composer Supply Chain Defence 2026

A 2026 supply chain defence for PHP and Composer — covering Packagist, composer.lock, autoload manipulation, and Laravel — backed by Safeguard.

Mar 10, 20267 min read
Best Practices

Vendor SBOM Ingest Program Blueprint

Asking vendors for SBOMs is easy. Building a program that actually does something with them is harder. Here is a working blueprint that scales past a hundred vendors.

Mar 10, 20267 min read
Compliance

Executive Order 14028 at Five Years: A Comprehensive Review

Five years after President Biden signed EO 14028, we assess what it accomplished, what it missed, and what comes next.

Mar 10, 20266 min read
Best Practices

How to Sign Container Images with Cosign in Production

Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.

Mar 10, 20267 min read
Compliance

FTC and Software Supply Chain Enforcement 2026

The FTC's widening enforcement posture after the MGM breach and related consent orders is reshaping software supply chain accountability for vendors and buyers.

Mar 10, 20268 min read
supply-chain (Page 18) — Safeguard Blog