Container Security
Container Image Signing with Cosign: A Practical Deep Dive
Cosign makes signing and verifying container images straightforward. Here's everything you need to know to implement it in your pipeline.
Nov 8, 20226 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Cosign makes signing and verifying container images straightforward. Here's everything you need to know to implement it in your pipeline.
Signed updates are table stakes for software distribution. But the signing and verification process has pitfalls that undermine the entire security model.
How to lock down Jenkins pipelines against credential theft, script injection, and unauthorized access with practical hardening steps.
Attackers impersonate legitimate organizations on package registries through name squatting, logo theft, and metadata manipulation. Here is how to protect your brand and your users.
Python's package registry has no namespace protection. Attackers exploit this with typosquatting, namespace confusion, and abandoned name reclamation. Here is how to protect your Python supply chain.
Browser extensions operate with broad permissions and auto-update silently. Here is how the extension permission model creates supply chain risks and what organizations can do about it.
Browser extensions run with elevated privileges and update automatically. When attackers compromise or acquire popular extensions, they gain access to millions of users instantly.
Attackers phished Dropbox employees by impersonating CircleCI, gaining access to 130 private GitHub repos containing internal code and credentials.
Makefiles execute shell commands by design. When those commands incorporate untrusted input, the results are predictably dangerous.
Weekly insights on software supply chain security, delivered to your inbox.