supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Black Hat USA 2025: Supply Chain Security Recap
Black Hat USA 2025 highlighted AI-generated code risks, build system attacks, and the maturation of SBOM tooling. Here is what mattered for supply chain teams.
Safeguard Gold Build Pipeline: How It Works
A walkthrough of the Gold Build pipeline that produces reproducible, attested, policy-verified container images and binaries for Safeguard customers.
Azure DevOps Supply Chain Hardening Guide
A senior engineer's 2026 playbook for hardening Azure DevOps against the supply chain attacks that actually happen: extensions, service connections, and template injection.
Prompt Injection as a Supply Chain Risk in 2026
Prompt injection stopped being an LLM curiosity the moment agents started committing code. It is now a software supply chain risk and should be modeled as one.
GitHub Actions: SHA-Pin Tags or Get Burned
Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.
Financial Services Supply Chain Controls for 2026
What banks, broker-dealers, and insurers should require from their software vendors in 2026: DORA, NYDFS Part 500, OCC guidance, and the operational resilience controls that actually hold up.
Codecov Bash Uploader 2021: A Supply Chain Retrospective
The Codecov bash uploader compromise was the quiet supply chain attack that exposed how CI secrets flow through every customer's pipeline. A five-year look back.
npm Mandatory 2FA for Publishing: How the November 2025 Rollout Hardened the Registry
After the Shai-Hulud worm compromised more than 500 npm packages in September 2025, GitHub published a revised timeline forcing FIDO 2FA, 90-day token caps, and disabled token publishing by default. Here is the defender view.
Git Hooks as Supply Chain Controls in 2026
Server-side and client-side git hooks are an underused control surface for supply chain risk. Here is what to enforce, where to enforce it, and what to leave alone.
SBOM Distribution Patterns: TEA, VEX, and the Last Mile in 2026
How SBOMs actually move between producers and consumers in 2026, what TEA and VEX are solving, and the distribution patterns that hold up in production.
Why Scanning Alone Doesn't Work Anymore
Scanners generate findings. Programs produce outcomes. After a decade of dashboards and CVE counts, it is time to admit the gap between the two is the actual security problem.
AWS CodeBuild/CodePipeline Hardening in 2026
CodeBuild and CodePipeline still carry the biggest AWS supply chain blast radius per dollar. Here is how to harden them in 2026 without rewriting to a different CI.