Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Why multi-architecture container images break assumptions baked into signing, SBOM, and attestation tooling, and how to build a multi-arch pipeline that stays verifiable.
Model weights are binaries with the privilege of code and the review of documents. Here is what signing, attestation, and provenance should actually look like.
A walkthrough of the Gold Build pipeline that produces reproducible, attested, policy-verified container images and binaries for Safeguard customers.
Where zk-SNARKs, STARKs, and Bulletproofs actually fit in software supply chain attestation, and where conventional signatures remain the correct choice.
SLSA v1.2 was approved in November 2025 and finally completes the Source Track that v0.1 only sketched. We break down the new source levels and what producers must change.
How Intel TDX, AMD SEV-SNP, and AWS Nitro enclaves plug into build and signing pipelines, with attestation flows and operational tradeoffs.
Generate and validate SLSA v1.0 provenance attestations in GitHub Actions using slsa-verifier, gate releases on builder identity, and prove build integrity.
CISA now requires software vendors selling to the US government to attest to secure development practices. Here's what the form demands and how to prepare.
The SLSA framework reached v1.0 in April 2023, providing a practical framework for software supply chain integrity that's already being adopted by major package registries.
Weekly insights on software supply chain security, delivered to your inbox.