Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

Industry Analysis

Black Hat USA 2025: Supply Chain Security Recap

Black Hat USA 2025 highlighted AI-generated code risks, build system attacks, and the maturation of SBOM tooling. Here is what mattered for supply chain teams.

Jan 28, 20268 min read
Architecture

Safeguard Gold Build Pipeline: How It Works

A walkthrough of the Gold Build pipeline that produces reproducible, attested, policy-verified container images and binaries for Safeguard customers.

Jan 28, 20267 min read
Cloud Security

Azure DevOps Supply Chain Hardening Guide

A senior engineer's 2026 playbook for hardening Azure DevOps against the supply chain attacks that actually happen: extensions, service connections, and template injection.

Jan 27, 20267 min read
AI Security

Prompt Injection as a Supply Chain Risk in 2026

Prompt injection stopped being an LLM curiosity the moment agents started committing code. It is now a software supply chain risk and should be modeled as one.

Jan 24, 20267 min read
DevSecOps

GitHub Actions: SHA-Pin Tags or Get Burned

Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.

Jan 24, 20266 min read
Regulatory Compliance

Financial Services Supply Chain Controls for 2026

What banks, broker-dealers, and insurers should require from their software vendors in 2026: DORA, NYDFS Part 500, OCC guidance, and the operational resilience controls that actually hold up.

Jan 22, 20266 min read
Incident Analysis

Codecov Bash Uploader 2021: A Supply Chain Retrospective

The Codecov bash uploader compromise was the quiet supply chain attack that exposed how CI secrets flow through every customer's pipeline. A five-year look back.

Jan 22, 20265 min read
Open Source Security

npm Mandatory 2FA for Publishing: How the November 2025 Rollout Hardened the Registry

After the Shai-Hulud worm compromised more than 500 npm packages in September 2025, GitHub published a revised timeline forcing FIDO 2FA, 90-day token caps, and disabled token publishing by default. Here is the defender view.

Jan 22, 20266 min read
DevSecOps

Git Hooks as Supply Chain Controls in 2026

Server-side and client-side git hooks are an underused control surface for supply chain risk. Here is what to enforce, where to enforce it, and what to leave alone.

Jan 22, 20266 min read
SBOM

SBOM Distribution Patterns: TEA, VEX, and the Last Mile in 2026

How SBOMs actually move between producers and consumers in 2026, what TEA and VEX are solving, and the distribution patterns that hold up in production.

Jan 22, 20265 min read
Industry Analysis

Why Scanning Alone Doesn't Work Anymore

Scanners generate findings. Programs produce outcomes. After a decade of dashboards and CVE counts, it is time to admit the gap between the two is the actual security problem.

Jan 22, 20267 min read
Cloud Security

AWS CodeBuild/CodePipeline Hardening in 2026

CodeBuild and CodePipeline still carry the biggest AWS supply chain blast radius per dollar. Here is how to harden them in 2026 without rewriting to a different CI.

Jan 22, 20267 min read
supply-chain (Page 27) — Safeguard Blog