Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A security-focused review of the Google Terraform providers: provenance, authentication paths, state handling, and the misconfigurations that consistently produce incidents across the Google and Google-Beta provider ecosystem.
PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time, and deal with the rough edges.
A practical hardening guide for Concourse CI: resource type trust, worker isolation, team-level RBAC, and the var source security that underpins the platform's multi-tenancy model.
Earthly combines container isolation with Makefile-style ergonomics. Here's what that means for supply chain posture, with real Earthfile examples.
How age and SOPS together deliver a lightweight, auditable, Git-native secrets workflow that stands up to real production use without a vault server.
A practical hardening guide for Buildkite: agent isolation, pipeline upload security, plugin risks, and the agent-token rotation strategy that keeps the trust model intact.
A security engineer's look at Buck2, Meta's open-source build system, including Starlark sandbox properties, remote execution, and actual supply chain guarantees.
The Maven Release Plugin is the oldest piece of release automation most Java shops still run. A look at the hardening steps it usually needs.
go generate is a seam where arbitrary commands run with the full privileges of the developer, and it does not show up in any manifest of trusted dependencies.
Weekly insights on software supply chain security, delivered to your inbox.