Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

NuGet package signing, source mapping, and verifying pack...

A practical guide to NuGet package signing, source mapping, and provenance verification for .NET teams — with commands, config, and a troubleshooting checklist.

Jan 31, 20268 min read
Open Source Security

Finding vulnerable .NET dependencies with dotnet list pac...

A step-by-step guide to scanning C# projects for vulnerable NuGet packages using dotnet list package --vulnerable, plus how to fix and monitor them continuously.

Jan 31, 20267 min read
Open Source Security

Case study: a malicious NuGet package compromise and its ...

Inside the Moq/SponsorLink malicious NuGet package incident: what shipped, who was exposed, and how to harden your .NET build pipeline against the next one.

Jan 30, 20268 min read
Open Source Security

Swift Package Manager dependency resolution and pinning s...

SPM trusts mutable git tags, not signed artifacts. Here's how dependency resolution, Package.resolved integrity, and pinning gaps expose Swift apps to supply chain attacks.

Jan 30, 20266 min read
Open Source Security

Why Choose Wolfi Linux: A Buyer Rationale for 2026

A clear-eyed look at Wolfi's value as a container base image distribution: glibc-based design, security defaults, build provenance, and where it does not fit.

Jan 29, 20266 min read
Open Source Security

Maven Central dependency confusion and namespace collisio...

How Maven's groupId system and multi-repo resolution let attackers slip malicious packages into Java builds — and how to close the internal vs public repo gap.

Jan 29, 20267 min read
Open Source Security

Scanning Kotlin and Android projects with OWASP Dependenc...

A step-by-step guide to scanning Kotlin and Android projects with OWASP Dependency-Check: Gradle plugin setup, CI automation, triage, and suppressions.

Jan 29, 20268 min read
Open Source Security

PyPI Trusted Publishing Common Pitfalls

PyPI trusted publishing removed a whole class of token leaks, but teams keep tripping over the same half-dozen configuration mistakes. Here is what to watch for.

Jan 28, 20267 min read
Open Source Security

PyPI typosquatting and malicious Python packages targetin...

PyPI typosquatting lets attackers slip malicious Python packages into your build with one typo. Real attacks, why PyPI is exposed, and how to stay safe.

Jan 28, 20267 min read
Open Source Security

Pinning Python dependencies: requirements.txt vs Poetry a...

A practical guide to python dependency pinning with requirements.txt, pip-tools, and Poetry — locked, hash-verified builds instead of moving-target dependencies.

Jan 27, 20268 min read
Open Source Security

Auditing Python dependencies with pip-audit and Safety

A hands-on pip-audit tutorial covering Python dependency scanning, Safety CLI comparisons, and a workflow for catching PyPI vulnerabilities before release.

Jan 27, 20267 min read
Open Source Security

Auditing Rails applications' Gemfile for vulnerable depen...

A practical guide to auditing your Rails Gemfile and Gemfile.lock for vulnerable dependencies using bundler-audit, from triage through CI automation.

Jan 26, 20268 min read
Open Source Security (Page 10) — Supply Chain Security Blog | Safeguard