Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
JRuby Supply Chain Considerations
JRuby sits at the intersection of the Ruby and Java supply chains, and the security story reflects both. A look at how JRuby's dual nature affects gem security and what defenders should know.
Rust Procedural Macros: Security Risks
Proc macros are Rust code that runs at compile time with the privileges of the developer. They are one of the most underexamined pieces of the Rust supply chain.
OpenSSF Scorecard Adoption Metrics: Late 2024
OpenSSF Scorecard crossed 1M scanned repos in October 2024. We break down adoption, score drift, and which checks are actually predictive.
dotnet restore Reproducibility Concerns
dotnet restore is supposed to be deterministic. In practice it is deterministic in ways that matter less and non-deterministic in ways that matter more.
Ruby Native Extensions Supply Chain
Native C extensions are the most under-audited part of the Ruby supply chain: how they get built, what can go wrong, and how to monitor them as seriously as you monitor pure-Ruby code.
RubyGems.org and Sigstore: Progress Check
An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, and how maintainers can prepare for signed gems.
PyPI Typosquatting Detection at Scale
Typosquatting remains a steady drumbeat on PyPI. What detection actually looks like when you're trying to catch it at ecosystem scale, and where the interesting edges are.
Rust Feature Flags: Supply Chain Implications
Cargo feature flags look like a compilation convenience but they are a load-bearing piece of your supply chain posture. Here is why.
.NET Source Generator Security Risks
Source generators are C# code that executes during compilation with developer privileges. The .NET equivalent of Rust's proc macros — and the same underexamined attack surface.
Migrating to npm Granular Access Tokens
Granular access tokens have been GA for over a year. Here is the migration playbook that has worked for me across four organizations, including the gotchas nobody writes down.
PyPI Trusted Publishing: An Adoption Guide
Trusted Publishing replaces long-lived PyPI tokens with OIDC-issued short-lived credentials. A practical guide to adoption, pitfalls, and what it changes for your threat model.
RubyGems Typosquatting Incidents: 2024
A running ledger of typosquat incidents on RubyGems.org through 2024, the patterns across them, and what the year's data says about where the registry's defenses still fall short.