Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
In a six-hour window on May 18, 2026, an automated campaign pushed malicious GitHub Actions workflows into 5,561 repositories using credentials harvested by infostealers. We break down the attack chain, the workflow_dispatch dormancy trick, and CI detection.
In May 2026, every tag on actions-cool/issues-helper and 15 tags on maintain-one-comment were quietly moved to point at imposter commits that stole CI/CD credentials from runner memory. A look at the mutable-tag attack class and how to defeat it.
A practical Checkmarx zero trust deployment guide for 2026: integrating Checkmarx One into a zero-trust SDLC with policy gates, identity, and signed artifacts.
A grounded 2026 primer on software supply chain attacks: definitions, the four real attack vectors, landmark incidents, and where defenders should start.
Shift-left only works when developers stop noticing it. A 2026 playbook for moving supply chain checks earlier without burning the people who ship code.
The editor is the highest-leverage place to catch supply chain risk. A design guide for building IDE-time feedback that developers actually want.
The pull request is the highest-stakes moment in shift-left. A field guide to designing PR policy gates that block bad code without breaking trust.
A security CLI lives or dies on the experience of typing it. A design guide for building security tooling that respects the developer's terminal.
Every security tool spends developer attention. A framework for budgeting friction across IDE, CLI, and PR-time supply chain checks without going bankrupt.
Weekly insights on software supply chain security, delivered to your inbox.