Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Sonatype's Central Publisher Portal began validating Sigstore signature bundles in January 2025 alongside the existing PGP requirement. Here is the defender view of how the Java ecosystem's provenance story is finally catching up.
npm provenance ties a published package to the specific GitHub Actions run that built it, signed through sigstore. Here is how to enable it for a publisher, verify it on the install side, and enforce it in CI without breaking your release process.
A senior-engineer deep dive into 2026 container image supply chain security: base image risk, provenance, signing, attestation chains, and what actually moves the needle.
Workers Builds emits provenance attestations for the code it deploys. We trace how to verify them, gate on them, and integrate them into a multi-cloud supply chain program.
SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.
Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.
A senior engineer's guide to training data poisoning defenses in 2026, from split-learning detection to provenance attestation and continuous pipeline monitoring.
SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.
Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.
Weekly insights on software supply chain security, delivered to your inbox.