Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A senior-engineer deep dive into 2026 container image supply chain security: base image risk, provenance, signing, attestation chains, and what actually moves the needle.
SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.
SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.
Where software signing stands today, what Sigstore and friends changed, and why most organizations still ship unsigned artifacts.
A working engineer's tour of in-toto in 2026: layouts, links, the attestation predicate ecosystem, and how it composes with SLSA, sigstore, and SBOMs.
A practical blueprint for reaching SLSA Level 3 in 2026: hosted builders, provenance generation, verification gates, and the operational habits that hold the line.
A walkthrough of the Gold Build pipeline that produces reproducible, attested, policy-verified container images and binaries for Safeguard customers.
SLSA v1.2 was approved in November 2025 and finally completes the Source Track that v0.1 only sketched. We break down the new source levels and what producers must change.
Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.
Weekly insights on software supply chain security, delivered to your inbox.