supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
RAG Pipeline Supply Chain Attacks: Vector DBs and More
RAG pipelines have six or seven supply chain surfaces, and most teams are only watching one. Here is how the attacks actually look in production.
OCI + CNCF Image Supply Chain: 2026 Snapshot
Where the OCI and CNCF image supply chain ecosystem actually sits in 2026, what has stabilized, what is still contested, and what to deploy now versus later.
DEF CON 33 Software Supply Chain Sessions Recap
DEF CON 33 brought hacker-energy attention to package ecosystems, CI/CD abuse, and AppSec Village. Here is what supply chain defenders should take home.
PyPI mexalz Malware Campaign Deep Dive
Researchers tracked a PyPI campaign publishing malicious packages under the mexalz and related account names, targeting Python developers with infostealers.
Rust crates.io Supply Chain Controls in 2026
crates.io has gained real supply chain features over the past two years. Here is an honest read on what works, what is still immature, and where to invest.
CISO FAQ: Software Supply Chain Security 2026
The questions CISOs actually ask about software supply chain security in 2026: scope, budget, reporting lines, SBOMs, AI code, and where to start.
Getting Started with Safeguard CLI: Your First Scan
Install the Safeguard CLI, authenticate, and run your first dependency and SBOM scan in under ten minutes. Covers config, output formats, and CI wiring.
Sigstore Policy Controller for K8s in Production
How the Sigstore Policy Controller actually runs in production, what it does better than Kyverno, and the operational pitfalls nobody mentions in the quickstart.
Renovate 2026: Security-Only Mode and OSV Alerts Tested
Renovate's 2026 security presets, OSV-based vulnerability alerts, and 14-day minimum release age combine into a defensible auto-update posture. We tested it on a 240-repo org.
The Case for Autonomous Remediation Now
Manual patching is a losing race against the rate of new vulnerabilities. Autonomous remediation is not a future technology — it is the only workflow that keeps pace with modern supply chains.
AI BOM Spec Comparison: CycloneDX ML-BOM in 2026
AI bills of materials moved from proposal to procurement requirement. A practical comparison of CycloneDX ML-BOM, SPDX 3.0 AI profile, and what to ship in 2026.
AWS Signer with Notation: Designing a Trust Policy That Survives Contact
AWS Signer integrates with Notation for OCI image signing. The hard part is not signing — it is the trust policy that decides what gets to run. We walk through one that holds up.