Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Rust Supply Chain: cargo-vet Expansion in 2025
Mozilla and Google expanded cargo-vet's shared audit pool to 14,000 crates in Q1 2025. Here's how to adopt it without drowning in imports.
PyPI Attestation Requirements: A Roadmap Read
PEP 740 brings Sigstore-style attestations to PyPI. A close read of the roadmap, what's actually shipped, and what it means for consumers and publishers over the next 12 months.
How to Monitor Go Module Substitution Attacks
Defend against Go module substitution attacks with GOPROXY, GOSUMDB, vendor verification, and checksum database monitoring — complete with working examples.
Python Cython Extensions and the Supply Chain
Cython-built Python extensions ship as platform-specific binaries with a build toolchain behind them. That introduces supply chain surface most teams have not mapped.
PyPI Organization Accounts: The Security Model
PyPI Organization Accounts add real structure to a registry that was individual-first for two decades. A deep look at the security model, what it enables, and what it still doesn't.
RubyGems Reserved Namespace Claims
A look at how organizations can claim reserved namespace prefixes on RubyGems.org, what the policy currently supports, and where it falls short for real enterprise use cases.
Rust Embedded Supply Chain Guide
Rust is moving into embedded production fast. The supply chain shape for firmware is different from server-side Rust — smaller trees, longer lifetimes, tighter regulations.
PyPI Download Statistics as a Security Signal
PyPI download numbers are noisy, gameable, and widely misused. A closer look at what they actually measure, how to read them for security purposes, and where they break.
An npm Incident Response Playbook
When an npm package in your dependency graph is compromised at midnight, you need a playbook, not a brainstorm. Here is the one I wrote after three real incidents.
NuGet Signed Packages Verification
NuGet supports signed packages — author signatures, repository signatures, and verification modes. A practical guide to enforcing it properly.
Auditing Rust unsafe Code at Scale
How to actually audit unsafe blocks across a large Rust dependency graph without drowning in false positives or miss real issues.
Java Modules Supply Chain Security
The Java Platform Module System arrived in Java 9 and has aged into quiet maturity. What JPMS actually does for supply chain posture in enterprise Java.