DevSecOps
How to Rotate Build Signing Keys Safely
A step-by-step tutorial for rotating Cosign and GPG build signing keys without breaking existing attestations, verification chains, or downstream consumers.
Oct 8, 20246 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A step-by-step tutorial for rotating Cosign and GPG build signing keys without breaking existing attestations, verification chains, or downstream consumers.
Docker's 2024 rate-limit reforms hit CI pipelines hard. Measured impact on 30 real build farms and the mirror and pull-through controls that fixed it.
Supply chain risks specific to GraphQL stacks: Apollo, graphql-js, persisted queries, introspection, and transitive risk in gateway federation.
CDK constructs are code that provisions infrastructure. Most teams audit the infrastructure but not the constructs. Here is how to think about construct library security and what to check.
Dagger programmatic pipelines offer genuine supply chain benefits when used well. Here are the patterns and pitfalls from running Dagger in production.
Compare GitGuardian and TruffleHog on detector coverage, validation, historical scans, developer workflow, and pricing to pick the right secret scanning tool.
Generate and validate SLSA v1.0 provenance attestations in GitHub Actions using slsa-verifier, gate releases on builder identity, and prove build integrity.
A production-focused look at FluxCD's security model, covering multi-tenancy isolation, source verification, image automation risks, and the CVE history behind the current defaults.
Jenkins is still the most common Maven build driver in enterprise Java shops. It is also where most supply chain incidents start. Here is what to change before it becomes your problem.
Weekly insights on software supply chain security, delivered to your inbox.