Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

DevSecOps

Azure DevOps Pipeline Supply Chain Hardening 2026

A 2026 hardening guide for Azure DevOps Pipelines: service connections, workload identity federation, approval gates, agent isolation, and SLSA integration.

May 6, 20265 min read
Open Source Security

OpenSSF Scorecard v6 and the OSPS Baseline: Turning Probe Evidence Into Registry Trust Signals

The Scorecard v6 roadmap introduces conformance labels (PASS/FAIL/UNKNOWN/NOT_APPLICABLE/ATTESTED) layered over the same probe evidence, aligning Scorecard output with the OSPS Baseline for registry-side trust decisions.

May 4, 20267 min read
Tools

Semgrep Supply Chain: April 2026 Update Reviewed

Semgrep's April 2026 release added dedicated advisory pages, dependency path data in SBOM exports, a Guardian Supply Chain hook, and Maven/Gradle scanning without lockfiles.

May 2, 20267 min read
Application Security

FOSSA vs Snyk SCA Comparison 2026

Two SCA platforms with very different roots: FOSSA from license compliance, Snyk from vulnerability scanning. Which one fits which buyer profile in 2026?

May 2, 20265 min read
Regulatory Compliance

Utility Grid Software Supply Chain in 2026

NERC CIP-013, expanded CIP-010 expectations, and the post-Colonial Pipeline regulatory tightening have changed what utilities must demand from their software vendors. Here is the 2026 baseline.

Apr 30, 20265 min read
Supply Chain Attacks

tj-actions Supply Chain Attack March 2025: A Postmortem

The tj-actions/changed-files compromise exposed CI secrets across thousands of public repositories. A postmortem on the attack chain and the GitHub Actions trust model.

Apr 28, 20265 min read
Cloud Security

AWS IAM Identity Center Trusted Token Issuer: A Supply Chain Lens

Trusted Token Issuer support in IAM Identity Center lets workloads exchange OIDC tokens for AWS sessions without long-lived keys. Here is how that reshapes build pipeline trust.

Apr 22, 20267 min read
DevSecOps

Zarf Air-Gap Deployment: A 2026 Walkthrough

How Zarf 0.45 packages and deploys Kubernetes workloads into disconnected environments, where the design works well, and the operational realities to plan for.

Apr 22, 20266 min read
Software Supply Chain Security

Container Image Supply Chain Security Deep Dive 2026

A senior-engineer deep dive into 2026 container image supply chain security: base image risk, provenance, signing, attestation chains, and what actually moves the needle.

Apr 22, 20266 min read
SBOM

SBOM for Containers: 2026 Buyer's Guide

How to generate, manage, and act on SBOMs for containers in 2026: tool comparison, layered SBOMs, signing, and runtime drift detection.

Apr 19, 20265 min read
DevSecOps

Drone CI Supply Chain Hardening 2026

A 2026 hardening guide for Drone CI: plugin trust, runner isolation, signed pipelines, secret scoping, and integrating Drone with SLSA and sigstore.

Apr 19, 20266 min read
Cloud Security

Azure DevOps Personal Access Tokens in 2026: Rotation, Scoping, and Replacement

PATs remain the most common credential leak in Azure DevOps incidents. We trace the patterns that actually reduce risk and the migration paths that retire them entirely.

Apr 17, 20267 min read
supply-chain (Page 8) — Safeguard Blog