Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
NuGet package signing, source mapping, and verifying pack...
A practical guide to NuGet package signing, source mapping, and provenance verification for .NET teams — with commands, config, and a troubleshooting checklist.
Finding vulnerable .NET dependencies with dotnet list pac...
A step-by-step guide to scanning C# projects for vulnerable NuGet packages using dotnet list package --vulnerable, plus how to fix and monitor them continuously.
Case study: a malicious NuGet package compromise and its ...
Inside the Moq/SponsorLink malicious NuGet package incident: what shipped, who was exposed, and how to harden your .NET build pipeline against the next one.
Swift Package Manager dependency resolution and pinning s...
SPM trusts mutable git tags, not signed artifacts. Here's how dependency resolution, Package.resolved integrity, and pinning gaps expose Swift apps to supply chain attacks.
Why Choose Wolfi Linux: A Buyer Rationale for 2026
A clear-eyed look at Wolfi's value as a container base image distribution: glibc-based design, security defaults, build provenance, and where it does not fit.
Maven Central dependency confusion and namespace collisio...
How Maven's groupId system and multi-repo resolution let attackers slip malicious packages into Java builds — and how to close the internal vs public repo gap.
Scanning Kotlin and Android projects with OWASP Dependenc...
A step-by-step guide to scanning Kotlin and Android projects with OWASP Dependency-Check: Gradle plugin setup, CI automation, triage, and suppressions.
PyPI Trusted Publishing Common Pitfalls
PyPI trusted publishing removed a whole class of token leaks, but teams keep tripping over the same half-dozen configuration mistakes. Here is what to watch for.
PyPI typosquatting and malicious Python packages targetin...
PyPI typosquatting lets attackers slip malicious Python packages into your build with one typo. Real attacks, why PyPI is exposed, and how to stay safe.
Pinning Python dependencies: requirements.txt vs Poetry a...
A practical guide to python dependency pinning with requirements.txt, pip-tools, and Poetry — locked, hash-verified builds instead of moving-target dependencies.
Auditing Python dependencies with pip-audit and Safety
A hands-on pip-audit tutorial covering Python dependency scanning, Safety CLI comparisons, and a workflow for catching PyPI vulnerabilities before release.
Auditing Rails applications' Gemfile for vulnerable depen...
A practical guide to auditing your Rails Gemfile and Gemfile.lock for vulnerable dependencies using bundler-audit, from triage through CI automation.