#supply-chain
Tagged “supply-chain”
4 articlesHCP Packer's enforced provisioners turn golden-image policy into a contract teams can't quietly skip
HashiCorp has added enforced provisioners to HCP Packer, letting platform and security teams centrally pin mandatory build steps onto every downstream image rather than trusting that the wiki page got read. The mechanism is the easy part; deciding whether your org actually wants policy this loud is the harder one.
Jun 17, 2026 · Tomás VegaSecurity & supply chainPinning every CI action to a commit SHA is becoming the new minimum
A new write-up from the Cilium maintainers lays out a concrete playbook for locking down CI/CD dependencies — full-SHA pinning for every action, digest-pinned containers, vendored Go modules, and Renovate with a release-age cooldown. The pattern matters even if you do not ship eBPF for a living.
Jun 16, 2026 · Tomás VegaSecurity & supply chainDocker Content Trust gets a sunset date. The harder question is what you sign with next.
Docker has published a formal retirement plan for Docker Content Trust and the Notary v1 service at notary.docker.io, ten years after DCT shipped. The migration is mostly mechanical — the strategic question, about whether anyone downstream was actually verifying anything, is the part the guide cannot answer for you.
Jun 16, 2026 · Tomás VegaSecurity & supply chainThe 'OSS ingredients are basically safe' assumption just got a 52,000-package counter-example
Chainguard says it scanned 52,000 open-source packages used by AI-generated and 'vibe-coded' applications and concluded the long-running default — that the ingredients are safe to assume trustworthy — no longer holds. For CI/CD owners, that pushes dependency scrutiny upstream of the build.
Jun 16, 2026 · Tomás Vega