Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaign that PyPI, GitHub, and Sonatype all tracked in 2025.
A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?
SBOMs are a compliance table-stakes artifact in 2026. Here is a production GitHub Actions workflow that generates, signs, and attests a CycloneDX SBOM on every release.
A practical detection workflow for malicious npm packages: install-time signals, registry heuristics, reachability checks, and CI gates that actually block attacks.
A senior engineer's playbook for auditing open source licenses across modern polyglot repos, from SPDX extraction to enforcement in CI and legal reporting.
CVE-2024-23897 is a Jenkins CLI arbitrary file-read flaw that leaks secrets and enables RCE chains. Root cause, exploitation, and patch guidance.
An update PR is not a security finding. Here is a triage model that keeps reachability, risk, and engineering effort in the right conversation.
Both tools open the same kind of PR. The differences that matter at scale show up in configuration, grouping, platform support, and what happens when something breaks.
If you cannot measure your supply chain security posture, you cannot invest in it. Here are the KPIs that separate real programs from the theater.
Weekly insights on software supply chain security, delivered to your inbox.