Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

JRuby Supply Chain Considerations

JRuby sits at the intersection of the Ruby and Java supply chains, and the security story reflects both. A look at how JRuby's dual nature affects gem security and what defenders should know.

Nov 5, 20248 min read
Open Source Security

Rust Procedural Macros: Security Risks

Proc macros are Rust code that runs at compile time with the privileges of the developer. They are one of the most underexamined pieces of the Rust supply chain.

Oct 28, 20246 min read
Open Source Security

OpenSSF Scorecard Adoption Metrics: Late 2024

OpenSSF Scorecard crossed 1M scanned repos in October 2024. We break down adoption, score drift, and which checks are actually predictive.

Oct 24, 20245 min read
Open Source Security

dotnet restore Reproducibility Concerns

dotnet restore is supposed to be deterministic. In practice it is deterministic in ways that matter less and non-deterministic in ways that matter more.

Oct 12, 20247 min read
Open Source Security

Ruby Native Extensions Supply Chain

Native C extensions are the most under-audited part of the Ruby supply chain: how they get built, what can go wrong, and how to monitor them as seriously as you monitor pure-Ruby code.

Oct 8, 20248 min read
Open Source Security

RubyGems.org and Sigstore: Progress Check

An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, and how maintainers can prepare for signed gems.

Sep 20, 20247 min read
Open Source Security

PyPI Typosquatting Detection at Scale

Typosquatting remains a steady drumbeat on PyPI. What detection actually looks like when you're trying to catch it at ecosystem scale, and where the interesting edges are.

Sep 18, 20247 min read
Open Source Security

Rust Feature Flags: Supply Chain Implications

Cargo feature flags look like a compilation convenience but they are a load-bearing piece of your supply chain posture. Here is why.

Sep 12, 20247 min read
Open Source Security

.NET Source Generator Security Risks

Source generators are C# code that executes during compilation with developer privileges. The .NET equivalent of Rust's proc macros — and the same underexamined attack surface.

Sep 5, 20246 min read
Open Source Security

Migrating to npm Granular Access Tokens

Granular access tokens have been GA for over a year. Here is the migration playbook that has worked for me across four organizations, including the gotchas nobody writes down.

Sep 5, 20247 min read
Open Source Security

PyPI Trusted Publishing: An Adoption Guide

Trusted Publishing replaces long-lived PyPI tokens with OIDC-issued short-lived credentials. A practical guide to adoption, pitfalls, and what it changes for your threat model.

Aug 30, 20246 min read
Open Source Security

RubyGems Typosquatting Incidents: 2024

A running ledger of typosquat incidents on RubyGems.org through 2024, the patterns across them, and what the year's data says about where the registry's defenses still fall short.

Aug 25, 20248 min read
Open Source Security (Page 26) — Supply Chain Security Blog | Safeguard