supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
EO 14028 Attestation Pipeline
Executive Order 14028 attestations are now standard for federal software vendors. Build a pipeline that produces SSDF-aligned evidence on every release.
SBOM Cross-Vendor Normalisation: Enterprise Program
Vendor SBOMs arrive in every shape and size. Without disciplined normalisation, your ingest store is a junk drawer. Here is how mature programmes solve it.
Service Mesh Supply Chain Policy 2026
Service meshes are a control plane and a data plane and a supply chain risk surface all at once. This post covers the policy controls that matter in 2026 for sidecars, control planes, and mesh-issued certificates.
Software Supply Chain Legal Risk Assessment Template 2026
A working template for legal and security teams to assess software supply chain risk against contractual, regulatory, and licensing exposure in 2026.
Safeguard vs Wiz: Supply Chain Focus 2026
How Safeguard and Wiz compare in 2026 for software supply chain security, SCA depth, container provenance, and autonomous remediation.
Dependency Confusion: Griffin AI vs Mythos
Dependency confusion is older than most of the AI tooling trying to detect it. The attacks have adapted to the defences — detection needs to keep up.
JSR JavaScript Registry Security Model
JSR reimagines JavaScript package distribution with mandatory signing, scoped namespaces, and provenance by default. Here is how the security model works.
Snowflake Customer Breaches 2024: Root Cause
The Snowflake customer breaches of 2024 were not a Snowflake compromise. Infostealer logs, shared credentials, and absent MFA did the damage, from Ticketmaster to AT&T.
MCP Server Capability Policy Enforcement
MCP servers expose tools that AI agents can call directly. Capability policy decides which tools each agent gets, with the same rigor as any other supply chain gate.
Ransomware Via Software Supply Chain In 2026
Ransomware operators increasingly enter victims through software supply chain pathways. We analyze the 2026 patterns, the affiliate dynamics, and what defenders should do.
Coordinated Disclosure With Upstream Maintainers
Coordinated disclosure with open-source maintainers is a relationship business. Here is what makes it work in 2026, with the artefacts a modern pipeline gives you.
How to Generate an SBOM with GitHub Actions (2026)
SBOMs are a compliance table-stakes artifact in 2026. Here is a production GitHub Actions workflow that generates, signs, and attests a CycloneDX SBOM on every release.