Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
VEX is how you turn a vulnerability list into an actionable work queue. Griffin AI ingests VEX documents as structured statements that filter findings at policy time. Mythos-class tools read them as advisory prose and lose the filtering entirely.
Output filters are the last line before the user and the tool call. We cover when they work, when they fail, and how to measure them honestly in production.
An anonymized look at how a US federal civilian agency assembled a complete FedRAMP High supply chain evidence pack in 30 days using Safeguard.sh.
A jailbreak in a model you ship downstream is a supply chain incident, not a trivia item. Here is how to reason about it and where the defensive controls belong.
Most SBOMs are generated, filed, and forgotten. Treating them as compliance artifacts rather than operational products is why they have not paid off — and how to fix it.
Modern vulnerability management is shifting from periodic scanning to continuous, automated triage and remediation. Here's what that looks like in practice.
ECR now supports Notation-based image signing and trust policy enforcement. Here is how to design signing policies that survive scale and auditors.
The Safeguard Research team measured how much abandonment exists in real dependency graphs, how it correlates with risk, and what to do about it.
A phished maintainer token pushed a private-key-stealing backdoor into @solana/web3.js 1.95.6/1.95.7. Full mechanics and post-incident recommendations.
Weekly insights on software supply chain security, delivered to your inbox.