supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Azure DevOps Pipeline Supply Chain Hardening 2026
A 2026 hardening guide for Azure DevOps Pipelines: service connections, workload identity federation, approval gates, agent isolation, and SLSA integration.
OpenSSF Scorecard v6 and the OSPS Baseline: Turning Probe Evidence Into Registry Trust Signals
The Scorecard v6 roadmap introduces conformance labels (PASS/FAIL/UNKNOWN/NOT_APPLICABLE/ATTESTED) layered over the same probe evidence, aligning Scorecard output with the OSPS Baseline for registry-side trust decisions.
Semgrep Supply Chain: April 2026 Update Reviewed
Semgrep's April 2026 release added dedicated advisory pages, dependency path data in SBOM exports, a Guardian Supply Chain hook, and Maven/Gradle scanning without lockfiles.
FOSSA vs Snyk SCA Comparison 2026
Two SCA platforms with very different roots: FOSSA from license compliance, Snyk from vulnerability scanning. Which one fits which buyer profile in 2026?
Utility Grid Software Supply Chain in 2026
NERC CIP-013, expanded CIP-010 expectations, and the post-Colonial Pipeline regulatory tightening have changed what utilities must demand from their software vendors. Here is the 2026 baseline.
tj-actions Supply Chain Attack March 2025: A Postmortem
The tj-actions/changed-files compromise exposed CI secrets across thousands of public repositories. A postmortem on the attack chain and the GitHub Actions trust model.
AWS IAM Identity Center Trusted Token Issuer: A Supply Chain Lens
Trusted Token Issuer support in IAM Identity Center lets workloads exchange OIDC tokens for AWS sessions without long-lived keys. Here is how that reshapes build pipeline trust.
Zarf Air-Gap Deployment: A 2026 Walkthrough
How Zarf 0.45 packages and deploys Kubernetes workloads into disconnected environments, where the design works well, and the operational realities to plan for.
Container Image Supply Chain Security Deep Dive 2026
A senior-engineer deep dive into 2026 container image supply chain security: base image risk, provenance, signing, attestation chains, and what actually moves the needle.
SBOM for Containers: 2026 Buyer's Guide
How to generate, manage, and act on SBOMs for containers in 2026: tool comparison, layered SBOMs, signing, and runtime drift detection.
Drone CI Supply Chain Hardening 2026
A 2026 hardening guide for Drone CI: plugin trust, runner isolation, signed pipelines, secret scoping, and integrating Drone with SLSA and sigstore.
Azure DevOps Personal Access Tokens in 2026: Rotation, Scoping, and Replacement
PATs remain the most common credential leak in Azure DevOps incidents. We trace the patterns that actually reduce risk and the migration paths that retire them entirely.