Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Sigstore makes software signing accessible by eliminating the pain of key management. Here's how Cosign, Fulcio, and Rekor work together to verify software integrity.
Malicious packages on PyPI surged in 2021, targeting developers with credential stealers, backdoors, and data exfiltration. Here's what the campaigns look like and how to defend against them.
GitHub Actions workflows execute third-party code with access to your repository secrets. Most teams don't realize how much trust they're placing in action authors.
Travis CI exposed secrets from public repo forks for weeks in 2021. Here is the exact defect, who was affected, and the permanent takeaways.
Google's SLSA framework provides a graduated model for supply chain integrity, from basic provenance to fully verified builds. Here's how it works and why it matters.
CI/CD pipelines are the new attack surface. From poisoned dependencies to compromised build tools, here's how to lock down your software delivery infrastructure.
Attackers exploit human typos to distribute malware through package registries. Here's how typosquatting works, real examples, and how to protect your builds.
DNS hijacking can redirect software updates, package downloads, and API calls to attacker-controlled servers. Here's how this underrated attack vector threatens your entire software supply chain.
Open source powers the modern internet, but its security model is under strain. Here's the 2021 landscape of open source risk, from funding to maintainer burnout to malicious packages.
Weekly insights on software supply chain security, delivered to your inbox.