Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Most organizations know they should care about software supply chain security, but few have a structured way to assess their maturity. A practical framework for evaluating and improving your posture.
SLSA v1.1 was approved in April 2025 with the Build track stabilized. We dig into the spec changes, what L2 and L3 verifiers must reject, and how producers should re-evaluate provenance.
Zero trust is not just a network architecture concept. Applied to the software supply chain, it fundamentally changes how organizations verify code, dependencies, and build processes.
Generate and validate SLSA v1.0 provenance attestations in GitHub Actions using slsa-verifier, gate releases on builder identity, and prove build integrity.
A step-by-step tutorial for publishing npm packages with provenance attestations so your consumers can cryptographically verify the build source.
Five takeaways from the supply chain sessions at RSA Conference 2023, from SBOM adoption skepticism to attestation tooling and federal procurement pressure.
Go's toolchain makes reproducible builds unusually tractable. Here is how to reach bit-for-bit builds across machines in 2023, and where the rough edges remain.
An inside look at Google's multi-layered approach to supply chain security, from Binary Authorization to SLSA, and what other organizations can adapt from their model.
Artifact signing is having a moment, but most teams skip the fundamentals. Here is the first-principles case for why you sign, what you sign, and who verifies.
Weekly insights on software supply chain security, delivered to your inbox.