Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.
A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.
Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.
PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time, and deal with the rough edges.
A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing policy in your Kubernetes cluster.
Wire Sigstore into GitHub Actions end-to-end: OIDC identity, Cosign signing, Rekor transparency, and policy-controller enforcement — with working snippets.
A hands-on tutorial for blocking unsigned container images at the Kubernetes admission layer using Cosign, Sigstore policy-controller, and keyless verification.
Scanning for vulnerabilities means nothing if you cannot enforce the results. Supply chain policy engines in Kubernetes turn security findings into hard deployment gates.
Artifact signing is having a moment, but most teams skip the fundamentals. Here is the first-principles case for why you sign, what you sign, and who verifies.
Weekly insights on software supply chain security, delivered to your inbox.