Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Software attestation proves that your artifacts were built the way you claim. Here is a practical comparison of SLSA, in-toto, and Sigstore for securing your build pipeline.
Fulcio issues short-lived certificates for keyless signing. Here is the enterprise view of how those certificates are issued, validated, and woven into long-term trust.
An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, and how maintainers can prepare for signed gems.
Writing cosign verification policies that actually pass production deployment gates requires more precision than the examples suggest. Here is what we have learned.
Rekor is the transparency log behind Sigstore, and understanding its operational model matters more than most teams realise. Here is how we run against it in production.
Cosign makes signing and verifying container images straightforward. Here's everything you need to know to implement it in your pipeline.
Sigstore's general availability in October 2022 made cryptographic signing accessible to every developer. Here's why this is a watershed moment.
Software provenance answers the question: where did this code come from, who built it, and can I trust it? In 2022, provenance tracking moved from academic concept to practical necessity.
Container image signing has gone through multiple iterations. Here is where the OCI standards stand now and what you need to implement.
Weekly insights on software supply chain security, delivered to your inbox.