Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.
A working engineer's comparison of Google Distroless, Chainguard Images, and Wolfi as base images, covering what actually breaks in production and what does not.
How to design Kubernetes admission controllers that enforce supply chain policy without turning every deploy into a 30-minute argument with the cluster.
Kubernetes operators run with broad cluster access. This checklist covers the controls that matter most in 2025, from RBAC scoping to image provenance.
Both Prisma Cloud and Wiz have expanded into supply chain territory from cloud security origins. A head-to-head on what each actually delivers on the supply chain dimension.
Kubernetes 1.33 shipped with meaningful security changes: stronger admission controls, expanded structured authorization, and several deprecations that will affect production clusters.
Using Istio, Linkerd, and Cilium service mesh to enforce signed-artifact, SPIFFE identity, and provenance-aware policy in production clusters.
Field notes on running Tetragon, Falco, and Cilium eBPF controls in production Kubernetes clusters, with observed overhead, policy traps, and kernel constraints.
Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and real caveats.
Weekly insights on software supply chain security, delivered to your inbox.