supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
tj-actions Compromise: One Year Retrospective
A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?
Code Signing Key Theft Trend Watch
Code signing key theft has surged across 2025 and 2026. We trace the recurring incident patterns, the operator tradecraft, and the structural defenses that work.
Signed Artifact Policy Enforcement In 2026
Signing artifacts is necessary but not sufficient. The policy that verifies signatures, attestations, and trust roots is what turns signing into a security control.
Zero-Day Discovery Economics: Cost Per Find
The economics of zero-day discovery have been opaque for too long. Here is the actual cost structure of finding a real, defensible bug, and how to think about it.
GitHub Codespaces and Supply Chain Risk in 2026
Codespaces shifts development from the laptop to the cloud, which changes the supply chain threat model in ways most teams have not fully thought through.
VS Code Marketplace Malware Campaigns in 2025
A senior engineer's review of the 2025 VS Code Marketplace malware wave, including typosquats, trojanized themes, and extensions that stole npm tokens at scale.
Asset Discovery As CMDB Replacement In 2026
The traditional CMDB cannot keep up with cloud, AI, and agent workloads. Continuous discovery is the only model that survives 2026.
PHP / Composer Supply Chain Defence 2026
A 2026 supply chain defence for PHP and Composer — covering Packagist, composer.lock, autoload manipulation, and Laravel — backed by Safeguard.
Vendor SBOM Ingest Program Blueprint
Asking vendors for SBOMs is easy. Building a program that actually does something with them is harder. Here is a working blueprint that scales past a hundred vendors.
Executive Order 14028 at Five Years: A Comprehensive Review
Five years after President Biden signed EO 14028, we assess what it accomplished, what it missed, and what comes next.
How to Sign Container Images with Cosign in Production
Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.
FTC and Software Supply Chain Enforcement 2026
The FTC's widening enforcement posture after the MGM breach and related consent orders is reshaping software supply chain accountability for vendors and buyers.