Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.
SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.
Where software signing stands today, what Sigstore and friends changed, and why most organizations still ship unsigned artifacts.
A walkthrough of the Gold Build pipeline that produces reproducible, attested, policy-verified container images and binaries for Safeguard customers.
Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.
Most organizations know they should care about software supply chain security, but few have a structured way to assess their maturity. A practical framework for evaluating and improving your posture.
Zero trust is not just a network architecture concept. Applied to the software supply chain, it fundamentally changes how organizations verify code, dependencies, and build processes.
Generate and validate SLSA v1.0 provenance attestations in GitHub Actions using slsa-verifier, gate releases on builder identity, and prove build integrity.
A step-by-step tutorial for publishing npm packages with provenance attestations so your consumers can cryptographically verify the build source.
Weekly insights on software supply chain security, delivered to your inbox.