Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A working engineer's tour of in-toto in 2026: layouts, links, the attestation predicate ecosystem, and how it composes with SLSA, sigstore, and SBOMs.
A practical blueprint for reaching SLSA Level 3 in 2026: hosted builders, provenance generation, verification gates, and the operational habits that hold the line.
Where the OCI and CNCF image supply chain ecosystem actually sits in 2026, what has stabilized, what is still contested, and what to deploy now versus later.
Sigstore's Cosign v2.6 unlocks offline verification, in-toto statement signing, and trusted-root portability. We walk through the new --new-bundle-format flag end-to-end.
Software attestation proves that your artifacts were built the way you claim. Here is a practical comparison of SLSA, in-toto, and Sigstore for securing your build pipeline.
in-toto reached CNCF graduation in April 2025 and shipped a major attestation framework release. We walk through the bundle layer, resource descriptors, and what producers should adopt.
Witness turns build steps into a chain of signed attestations. Here is how we use it in production pipelines, what it does well, and where the edges still cut.
The in-toto attestation framework is the plumbing under SLSA, Sigstore, and most supply chain tooling. Here is a practical review of the v1 formats and their edges.
Weekly insights on software supply chain security, delivered to your inbox.