Safeguard
Topic

Engineering

In-depth guides and analysis on engineering from the Safeguard engineering team.

24 articles

Engineering

Monitoring Package Maintainer Changes as a Threat Signal

Most package hijacks start with a maintainer change nobody was watching. Registry metadata makes these events observable — if you bother to look.

Jun 14, 20256 min read
Engineering

Vendoring Dependencies: When It Helps and When It Hurts Security

Committing dependencies to your repo buys immutability and availability — and quietly breaks scanners, updates, and license tracking. Here's the honest ledger.

May 25, 20257 min read
Engineering

Go Module Security: sumdb, GOPROXY and Private Modules

How Go's checksum database actually protects you, where GOPROXY ordering bites, and the GOPRIVATE mistakes that leak internal module paths to public infrastructure.

Feb 27, 20257 min read
Engineering

Container Image Digests vs Tags: Why Pinning Matters

A tag is a mutable pointer; a digest is the image. Pinning by digest is the difference between deploying what you tested and deploying whatever the registry says today.

Feb 16, 20256 min read
Engineering

Python Wheels vs Source Distributions: Security Implications

Installing an sdist runs someone else's code on your machine; installing a wheel doesn't. That one difference drives most PyPI malware — and most of the right defenses.

Nov 27, 20246 min read
Engineering

CycloneDX and SPDX: Why Safeguard Supports Both and How We Normalize Between Them

The SBOM format debate misses the point. Safeguard ingests both CycloneDX and SPDX, normalizes to a common model, and lets you query and export in either format.

Oct 15, 20247 min read
Engineering

Rust Crate Security: cargo audit, cargo vet and Beyond

cargo audit catches known-bad versions, cargo vet forces someone to actually read the code. What each tool covers, what neither covers, and how to run both without hating your CI.

Sep 20, 20246 min read
Engineering

Software Escrow and Supply Chain Continuity Planning

Most escrow deposits are write-only: nobody ever verifies they build. What escrow actually covers, when to pay for verification, and what continuity means for SaaS and OSS.

Sep 19, 20247 min read
Engineering

A Beginner's Guide to Threat Modeling Your Build Pipeline

Your CI system is a production system with worse access controls. A first threat model of the pipeline takes one whiteboard session and usually finds something ugly.

Aug 25, 20247 min read
Engineering

SLSA Level 3 in Practice: What It Takes

SLSA Build L3 is achievable in a week per repo if you use a hosted builder — and nearly impossible if you insist on rolling your own. Here is the practical path.

Apr 19, 20246 min read
Engineering

PHP Composer Security: Lockfiles, Packagist and Abandoned Packages

composer.lock is your integrity anchor, Packagist is a single point of trust, and roughly one in ten packages you depend on is quietly unmaintained. A field guide.

Apr 18, 20246 min read
Engineering

Security Debt: Measuring and Paying It Down

Security debt is the gap between the risk you're carrying and the risk you've decided to carry. Here's how to measure it in vuln-days and pay it down without a heroic quarter.

Mar 5, 20247 min read
Engineering (Page 2) — Supply Chain Security Blog | Safeguard