Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Policy Controller v0.15 ships sigstore-go's delegation-aware TUF client, a monthly cadence, and tighter integration with cosign 3.x. We benchmarked admission on a 400-node cluster.
Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.
How keyless signing has matured: OIDC identities, transparency log dependencies, attestation patterns, and the operational details teams still get wrong.
Sigstore Cosign v3.0 flips four behaviours to defaults: bundle format, trusted root, signing config, and statement-based attestations. Here's a clean upgrade plan.
Kyverno 1.18 ships ImageValidatingPolicy as the new policy type for cosign signature, attestation, and SBOM verification. We migrated a 60-cluster fleet and graded the new model.
How Rekor actually works in 2026, the trade-offs of the current Merkle tree design, witness diversity, and the operational realities of verifying inclusion at scale.
A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.
Sigstore's Cosign v2.6 unlocks offline verification, in-toto statement signing, and trusted-root portability. We walk through the new --new-bundle-format flag end-to-end.
Build a repeatable end-to-end test harness for your signing pipeline that proves artifacts are signed correctly and that verification fails when tampered.
Weekly insights on software supply chain security, delivered to your inbox.