Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
How the Sigstore Policy Controller actually runs in production, what it does better than Kyverno, and the operational pitfalls nobody mentions in the quickstart.
A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.
A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.
OpenShift Pipelines (Tekton) plus Sigstore gives you keyless signing inside a regulated cluster. The integration patterns are subtle. We map the ones that survive audit.
Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.
Sigstore's Cosign v2.6 unlocks offline verification, in-toto statement signing, and trusted-root portability. We walk through the new --new-bundle-format flag end-to-end.
OpenSSF launched Model Signing v1.0 in April 2025 with Sigstore integration. NVIDIA NGC adopted it the same month. We explain what it signs, how to verify, and where the gaps are.
PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time, and deal with the rough edges.
A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing policy in your Kubernetes cluster.
Weekly insights on software supply chain security, delivered to your inbox.