Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

DevSecOps

Reproducible Builds: Why Bother in 2026?

Reproducible builds used to feel academic. After a decade of supply chain attacks, they are the shortest path from an SBOM to a verifiable artifact. Here is the case.

Feb 10, 20267 min read
Industry Analysis

RSA Conference 2026: Supply Chain Themes

RSA Conference 2026 centered on AI governance, software supply chain regulation, and vendor consolidation. Here is the analyst view of what mattered.

Feb 9, 20268 min read
Emerging Technology

GitLab OIDC Token Theft: Workflow Research

GitLab CI OIDC tokens are becoming the keys to cloud kingdoms. Recent research shows how workflow misconfigurations leak them in surprising ways.

Feb 8, 20268 min read
Container Security

Fargate/ECS Container Supply Chain Pitfalls

The parts of container supply chain that break differently on AWS Fargate and ECS compared to Kubernetes, and what to do about each one in production.

Feb 6, 20267 min read
AI Security

LLM Jailbreak as a Supply Chain Risk in 2026

A jailbreak in a model you ship downstream is a supply chain incident, not a trivia item. Here is how to reason about it and where the defensive controls belong.

Feb 5, 20268 min read
Industry Analysis

SBOM as a Product, Not a Checkbox

Most SBOMs are generated, filed, and forgotten. Treating them as compliance artifacts rather than operational products is why they have not paid off — and how to fix it.

Feb 5, 20267 min read
Agent Security

ToxicSkills: When Claude Skills Become a Malware Distribution Channel

Snyk's ToxicSkills research found prompt injection in 36% of Claude skills tested and 1,467 malicious payloads. The SKILL.md trust model is the structural issue.

Feb 4, 20267 min read
Cloud Security

IBM Cloud Code Engine: A Supply Chain Defender's Walkthrough

Code Engine abstracts away Kubernetes for Knative-style serverless workloads on IBM Cloud. The supply chain story is different from what most defenders bring from AWS or GCP.

Feb 4, 20268 min read
Supply Chain

Inside PyPI Project Quarantine: How the Reversible Takedown Workflow Has Performed Since Launch

PyPI's Project Quarantine status, introduced in August 2024 and used roughly 140 times in its first year, replaces irreversible deletions with a reversible hidden state. Here is how the workflow operates and how to consume the signal.

Feb 4, 20266 min read
Best Practices

FAQ: CycloneDX vs SPDX — Which to Use?

Practical answers to the most common CycloneDX vs SPDX questions: differences, tooling, regulatory preference, VEX support, and when to emit both.

Feb 4, 20266 min read
Emerging Technology

Leaky Vessels: The runc Container Escape Class (2024)

Leaky Vessels bundled four CVEs that let container processes escape into the host. Two years later the class is still mispatched and misunderstood.

Feb 4, 20267 min read
Best Practices

Dependabot Security Update Policies for 2026

A pragmatic guide to configuring Dependabot for security updates: which knobs matter, which defaults are wrong, and how to avoid drowning teams in PRs.

Feb 3, 20266 min read
supply-chain (Page 25) — Safeguard Blog