Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

AI Security

RAG Pipeline Supply Chain Attacks: Vector DBs and More

RAG pipelines have six or seven supply chain surfaces, and most teams are only watching one. Here is how the attacks actually look in production.

Feb 3, 20267 min read
Container Security

OCI + CNCF Image Supply Chain: 2026 Snapshot

Where the OCI and CNCF image supply chain ecosystem actually sits in 2026, what has stabilized, what is still contested, and what to deploy now versus later.

Feb 3, 20267 min read
Industry Analysis

DEF CON 33 Software Supply Chain Sessions Recap

DEF CON 33 brought hacker-energy attention to package ecosystems, CI/CD abuse, and AppSec Village. Here is what supply chain defenders should take home.

Feb 2, 20267 min read
Supply Chain Attacks

PyPI mexalz Malware Campaign Deep Dive

Researchers tracked a PyPI campaign publishing malicious packages under the mexalz and related account names, targeting Python developers with infostealers.

Feb 2, 20266 min read
Open Source Security

Rust crates.io Supply Chain Controls in 2026

crates.io has gained real supply chain features over the past two years. Here is an honest read on what works, what is still immature, and where to invest.

Feb 2, 20266 min read
Best Practices

CISO FAQ: Software Supply Chain Security 2026

The questions CISOs actually ask about software supply chain security in 2026: scope, budget, reporting lines, SBOMs, AI code, and where to start.

Jan 30, 20267 min read
Tutorials

Getting Started with Safeguard CLI: Your First Scan

Install the Safeguard CLI, authenticate, and run your first dependency and SBOM scan in under ten minutes. Covers config, output formats, and CI wiring.

Jan 30, 20266 min read
Container Security

Sigstore Policy Controller for K8s in Production

How the Sigstore Policy Controller actually runs in production, what it does better than Kyverno, and the operational pitfalls nobody mentions in the quickstart.

Jan 30, 20267 min read
Tools

Renovate 2026: Security-Only Mode and OSV Alerts Tested

Renovate's 2026 security presets, OSV-based vulnerability alerts, and 14-day minimum release age combine into a defensible auto-update posture. We tested it on a 240-repo org.

Jan 29, 20267 min read
Industry Analysis

The Case for Autonomous Remediation Now

Manual patching is a losing race against the rate of new vulnerabilities. Autonomous remediation is not a future technology — it is the only workflow that keeps pace with modern supply chains.

Jan 29, 20267 min read
Software Supply Chain Security

AI BOM Spec Comparison: CycloneDX ML-BOM in 2026

AI bills of materials moved from proposal to procurement requirement. A practical comparison of CycloneDX ML-BOM, SPDX 3.0 AI profile, and what to ship in 2026.

Jan 29, 20266 min read
Cloud Security

AWS Signer with Notation: Designing a Trust Policy That Survives Contact

AWS Signer integrates with Notation for OCI image signing. The hard part is not signing — it is the trust policy that decides what gets to run. We walk through one that holds up.

Jan 28, 20267 min read
supply-chain (Page 26) — Safeguard Blog