Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A senior engineer's CMMC Level 3 checklist focused on software supply chain: SBOM, SC-SR controls, SSP evidence, and the operational gaps most defense contractors still have.
Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.
Sonatype Lifecycle's IQ Server ships weekly to cloud and monthly to self-hosted in 2026. We tracked the Repository Firewall changes and compared against JFrog Curation.
A fact-based 2026 review of the best Software Composition Analysis tools for enterprise teams, covering depth, reachability, remediation, and compliance.
A pragmatic 2026 hardening checklist for GitHub Actions: OIDC, pinned actions, environment protection, reusable workflows, and the controls that actually move risk.
A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?
Code signing key theft has surged across 2025 and 2026. We trace the recurring incident patterns, the operator tradecraft, and the structural defenses that work.
Signing artifacts is necessary but not sufficient. The policy that verifies signatures, attestations, and trust roots is what turns signing into a security control.
The economics of zero-day discovery have been opaque for too long. Here is the actual cost structure of finding a real, defensible bug, and how to think about it.
Weekly insights on software supply chain security, delivered to your inbox.