SBOM & Compliance
SLSA Builder Requirements in Production
The SLSA specification sets explicit requirements for builders at each level. Here is what those requirements actually mean when you operate a builder in production.
Aug 28, 20247 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
The SLSA specification sets explicit requirements for builders at each level. Here is what those requirements actually mean when you operate a builder in production.
Writing cosign verification policies that actually pass production deployment gates requires more precision than the examples suggest. Here is what we have learned.
A hands-on tutorial for producing a CSAF-VEX document that tells your customers which CVEs actually affect your product and which do not.
The in-toto attestation framework is the plumbing under SLSA, Sigstore, and most supply chain tooling. Here is a practical review of the v1 formats and their edges.
A practical field guide to switching SBOM tooling vendors without losing historical data, breaking compliance reports, or annoying the auditors.
Go's build model makes SLSA provenance more tractable than most ecosystems. Here is the practical guide for producing and verifying provenance on Go releases.
SBOMs for medical devices look straightforward on paper and get complicated fast in the real world. A field report on what regulators actually accept and what engineering teams actually produce.
Rekor is the transparency log behind Sigstore, and understanding its operational model matters more than most teams realise. Here is how we run against it in production.
Compare Mend (formerly WhiteSource) and Black Duck on SBOM export, license policy, detection sources, deployment model, and enterprise reporting for 2024 SCA selection.
Weekly insights on software supply chain security, delivered to your inbox.