Open Source Security
Maven Central Sigstore Migration Status
Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.
Feb 12, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.
Maven Central has historically been the quietest major registry for malware, but 2025 saw a measurable uptick in malicious artifacts and namespace abuse.
Six tools generate SBOMs from Java projects. They disagree on transitive depth, license fields, and licensing of their own output. A head-to-head.
The Java Platform Module System arrived in Java 9 and has aged into quiet maturity. What JPMS actually does for supply chain posture in enterprise Java.
Sonatype made several Maven Central changes in 2024 that materially affected the Java supply chain. A rundown of what changed, who was affected, and what Java teams should do.
Securing Spring Boot applications with dependency management BOMs, vulnerability scanning, and hardened configurations.
Produce accurate CycloneDX SBOMs from Maven builds using the official plugin, handle multi-module reactors, and ship attested SBOMs alongside your JARs.
How to secure your Java dependency chain across Maven and Gradle builds, from signature verification to repository management.
Six months after CVE-2021-44228 broke the internet, here is what worked, what didn't, and the response patterns security teams should keep as muscle memory.
Weekly insights on software supply chain security, delivered to your inbox.