Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Rust Supply Chain: cargo-vet Expansion in 2025

Mozilla and Google expanded cargo-vet's shared audit pool to 14,000 crates in Q1 2025. Here's how to adopt it without drowning in imports.

Apr 15, 20255 min read
Open Source Security

PyPI Attestation Requirements: A Roadmap Read

PEP 740 brings Sigstore-style attestations to PyPI. A close read of the roadmap, what's actually shipped, and what it means for consumers and publishers over the next 12 months.

Mar 10, 20257 min read
Open Source Security

How to Monitor Go Module Substitution Attacks

Defend against Go module substitution attacks with GOPROXY, GOSUMDB, vendor verification, and checksum database monitoring — complete with working examples.

Mar 4, 20255 min read
Open Source Security

Python Cython Extensions and the Supply Chain

Cython-built Python extensions ship as platform-specific binaries with a build toolchain behind them. That introduces supply chain surface most teams have not mapped.

Feb 14, 20257 min read
Open Source Security

PyPI Organization Accounts: The Security Model

PyPI Organization Accounts add real structure to a registry that was individual-first for two decades. A deep look at the security model, what it enables, and what it still doesn't.

Jan 20, 20257 min read
Open Source Security

RubyGems Reserved Namespace Claims

A look at how organizations can claim reserved namespace prefixes on RubyGems.org, what the policy currently supports, and where it falls short for real enterprise use cases.

Dec 18, 20248 min read
Open Source Security

Rust Embedded Supply Chain Guide

Rust is moving into embedded production fast. The supply chain shape for firmware is different from server-side Rust — smaller trees, longer lifetimes, tighter regulations.

Dec 18, 20246 min read
Open Source Security

PyPI Download Statistics as a Security Signal

PyPI download numbers are noisy, gameable, and widely misused. A closer look at what they actually measure, how to read them for security purposes, and where they break.

Dec 15, 20246 min read
Open Source Security

An npm Incident Response Playbook

When an npm package in your dependency graph is compromised at midnight, you need a playbook, not a brainstorm. Here is the one I wrote after three real incidents.

Nov 28, 20247 min read
Open Source Security

NuGet Signed Packages Verification

NuGet supports signed packages — author signatures, repository signatures, and verification modes. A practical guide to enforcing it properly.

Nov 22, 20245 min read
Open Source Security

Auditing Rust unsafe Code at Scale

How to actually audit unsafe blocks across a large Rust dependency graph without drowning in false positives or miss real issues.

Nov 18, 20247 min read
Open Source Security

Java Modules Supply Chain Security

The Java Platform Module System arrived in Java 9 and has aged into quiet maturity. What JPMS actually does for supply chain posture in enterprise Java.

Nov 15, 20245 min read
Open Source Security (Page 25) — Supply Chain Security Blog | Safeguard