Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
In May 2026, every tag on actions-cool/issues-helper and 15 tags on maintain-one-comment were quietly moved to point at imposter commits that stole CI/CD credentials from runner memory. A look at the mutable-tag attack class and how to defeat it.
npm Trusted Publishing replaces long-lived publish tokens with short-lived OIDC-issued credentials tied to a specific CI workflow. Here is the 2026 rollout state, what the migration actually looks like, and where the rough edges still are.
npm provenance ties a published package to the specific GitHub Actions run that built it, signed through sigstore. Here is how to enable it for a publisher, verify it on the install side, and enforce it in CI without breaking your release process.
A security-focused comparison of Flux 2.5 and Argo CD 3.1: trust models, multi-tenancy, secret handling, signature verification, and the operational differences.
How Argo CD Image Updater works, the security tradeoffs of automated image promotion, and the configuration patterns that prevent supply chain incidents.
A 2026 hardening guide for Azure DevOps Pipelines: service connections, workload identity federation, approval gates, agent isolation, and SLSA integration.
A practical Checkmarx zero trust deployment guide for 2026: integrating Checkmarx One into a zero-trust SDLC with policy gates, identity, and signed artifacts.
Call graphs say a function is reachable. Semantic reachability asks whether the preconditions for exploitation hold. The difference matters for prioritization.
How Zarf 0.45 packages and deploys Kubernetes workloads into disconnected environments, where the design works well, and the operational realities to plan for.
Weekly insights on software supply chain security, delivered to your inbox.