Engineering
In-depth guides and analysis on engineering from the Safeguard engineering team.
24 articles
Monitoring Package Maintainer Changes as a Threat Signal
Most package hijacks start with a maintainer change nobody was watching. Registry metadata makes these events observable — if you bother to look.
Vendoring Dependencies: When It Helps and When It Hurts Security
Committing dependencies to your repo buys immutability and availability — and quietly breaks scanners, updates, and license tracking. Here's the honest ledger.
Go Module Security: sumdb, GOPROXY and Private Modules
How Go's checksum database actually protects you, where GOPROXY ordering bites, and the GOPRIVATE mistakes that leak internal module paths to public infrastructure.
Container Image Digests vs Tags: Why Pinning Matters
A tag is a mutable pointer; a digest is the image. Pinning by digest is the difference between deploying what you tested and deploying whatever the registry says today.
Python Wheels vs Source Distributions: Security Implications
Installing an sdist runs someone else's code on your machine; installing a wheel doesn't. That one difference drives most PyPI malware — and most of the right defenses.
CycloneDX and SPDX: Why Safeguard Supports Both and How We Normalize Between Them
The SBOM format debate misses the point. Safeguard ingests both CycloneDX and SPDX, normalizes to a common model, and lets you query and export in either format.
Rust Crate Security: cargo audit, cargo vet and Beyond
cargo audit catches known-bad versions, cargo vet forces someone to actually read the code. What each tool covers, what neither covers, and how to run both without hating your CI.
Software Escrow and Supply Chain Continuity Planning
Most escrow deposits are write-only: nobody ever verifies they build. What escrow actually covers, when to pay for verification, and what continuity means for SaaS and OSS.
A Beginner's Guide to Threat Modeling Your Build Pipeline
Your CI system is a production system with worse access controls. A first threat model of the pipeline takes one whiteboard session and usually finds something ugly.
SLSA Level 3 in Practice: What It Takes
SLSA Build L3 is achievable in a week per repo if you use a hosted builder — and nearly impossible if you insist on rolling your own. Here is the practical path.
PHP Composer Security: Lockfiles, Packagist and Abandoned Packages
composer.lock is your integrity anchor, Packagist is a single point of trust, and roughly one in ten packages you depend on is quietly unmaintained. A field guide.
Security Debt: Measuring and Paying It Down
Security debt is the gap between the risk you're carrying and the risk you've decided to carry. Here's how to measure it in vuln-days and pay it down without a heroic quarter.