Best Practices
Build Server Compromise Investigation
A hands-on investigation guide for compromised build servers, from initial containment through rootkit checks and clean rebuild.
Aug 28, 20247 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A hands-on investigation guide for compromised build servers, from initial containment through rootkit checks and clean rebuild.
SvelteKit's compiled-output philosophy gives it a smaller runtime footprint than React frameworks, but the build-time supply chain is just as complex. Here is what to watch for when you adopt Svelte in production.
Maven plugins execute during your build with full JVM access. Here is how to verify they are legitimate and have not been tampered with.
Maven Enforcer is a blunt instrument most teams underuse. Here is how to turn it into a supply chain guardrail that blocks bad versions, bad repositories, and bad dependency graphs before they ship.
Gradle plugins execute during your build with full access to your environment. Most teams never audit them. Here is why that is dangerous.
Every package ecosystem handles install-time code execution differently. Some are permissive, some restrictive, and the differences matter for supply chain security.
Build systems transform source code into deployable artifacts. When attackers poison the build, every artifact is compromised. Here is how it happens.
WireGuard's simplicity and performance make it well-suited for securing development infrastructure. Here is how to deploy it for build servers, artifact repositories, and developer access.
SLSA v1.0 simplifies the framework and makes it practical to adopt. Here's what changed and how to implement it.
Weekly insights on software supply chain security, delivered to your inbox.