Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

757 articles

Cloud Security

AWS CodeBuild/CodePipeline Hardening in 2026

CodeBuild and CodePipeline still carry the biggest AWS supply chain blast radius per dollar. Here is how to harden them in 2026 without rewriting to a different CI.

Jan 22, 20267 min read
Container Security

Cosign for Container Signing: A Production Setup

A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.

Jan 22, 20267 min read
Research

OSS Malware Trends Q1 2026 (Safeguard Research)

The Safeguard Research team analyzed first-quarter 2026 malicious package telemetry across npm, PyPI, RubyGems, and crates.io. Here is what the data shows.

Jan 22, 20267 min read
Cloud Security

OpenShift Pipelines with Sigstore: A Production Integration Guide

OpenShift Pipelines (Tekton) plus Sigstore gives you keyless signing inside a regulated cluster. The integration patterns are subtle. We map the ones that survive audit.

Jan 21, 20267 min read
AI Security

AI Agent Security Risks: Why Autonomous Systems Are the Next Supply Chain Frontier

AI agents are consuming APIs, installing packages, and executing code autonomously. The security implications are massive and largely unaddressed.

Jan 20, 20266 min read
Supply Chain Attacks

The npm 'everything' Package Attack (2024) Analyzed

In January 2024 a developer published npm packages that depended on every public npm package, triggering a denial-of-service style incident across the registry.

Jan 20, 20267 min read
Container Security

Distroless vs. Chainguard vs. Wolfi: Real Differences

A working engineer's comparison of Google Distroless, Chainguard Images, and Wolfi as base images, covering what actually breaks in production and what does not.

Jan 19, 20266 min read
AI Security

AI Safety Eval Datasets as Supply Chain

The datasets you use to evaluate model safety are themselves a supply chain, and almost nobody is treating them that way. A senior engineer's audit of how eval corpora get poisoned, contaminated, and silently drifted.

Jan 18, 20267 min read
Cloud Security

GCP Artifact Registry Vulnerability Scanning: Integrating the Findings

Artifact Analysis on Artifact Registry produces a steady stream of findings. The discipline is in what you do with them. We map the workflows that actually reduce risk.

Jan 15, 20267 min read
DevSecOps

Pre-Commit Hooks Security Recipes for 2026

Practical pre-commit framework recipes that catch secrets, malicious packages, and risky changes before they reach your remote, without slowing developers down.

Jan 14, 20266 min read
Container Security

K8s Admission Controllers for Supply Chain Policy

How to design Kubernetes admission controllers that enforce supply chain policy without turning every deploy into a 30-minute argument with the cluster.

Jan 13, 20266 min read
AI Security

Securing Claude Code MCP Server Deployments

Claude Code MCP servers run with the privileges of the developer who invoked them. That makes deployment posture the entire security model.

Jan 12, 20267 min read
supply-chain (Page 28) — Safeguard Blog