Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing policy in your Kubernetes cluster.
containerd runs most of Kubernetes today. Its defaults are reasonable, but reasonable is not hardened. Here is how to close the gaps.
BuildKit's caching is what makes container builds fast. It is also a potential vector for cache poisoning attacks if not properly secured.
Network policies are usually framed as a zero-trust tool. They are also one of the best defenses against a compromised dependency.
A practical playbook for protecting the supply chain of services running on Cloud Run: image provenance, Binary Authorization, runtime identity, and the gaps the default configuration leaves wide open.
Wolfi is not a general-purpose Linux distro. It exists to solve one problem: provide secure, minimal, up-to-date packages for container images. Here is why that matters and how to use it.
What changes in your software supply chain when you move from virtual machines to containers, and how to adapt governance, scanning, and provenance accordingly.
etcd encryption at rest finally works out of the box. The question is which provider you use, and the trade-offs have sharpened in 2024.
gVisor intercepts syscalls in userspace and implements a minimal kernel in Go. It is a genuinely different approach, with genuinely different trade-offs.
Weekly insights on software supply chain security, delivered to your inbox.