Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Go Module Hijacking Detection
Module hijacking in Go is rare compared to npm, but it does happen, and the patterns worth watching are different from what you might expect from other ecosystems.
Bundler Lockfile Security Practices
How to use Gemfile.lock as a real security artifact: checksums, frozen mode, reproducible resolves, and what changed in Bundler 2.5's expanded lockfile format.
npm Workspaces Security Considerations
Workspaces are fantastic for developer experience and hostile to naive security tooling. Here is what actually changes when you flip them on.
Maven Central Changes in 2024 and Their Security Impact
Sonatype made several Maven Central changes in 2024 that materially affected the Java supply chain. A rundown of what changed, who was affected, and what Java teams should do.
Go Workspaces Supply Chain Risks
Go workspaces make multi-module development feel natural, but the go.work file introduces a new trust boundary that can quietly override pinned versions and bypass checksum verification.
PyPI Package Yanking Policies Analyzed
Yanking is PyPI's narrow, deliberately blunt tool for dealing with broken releases. A close analysis of what it does, what it doesn't do, and when to use it instead of a delete.
.NET Supply Chain Audit Patterns
Auditing a .NET supply chain is a different exercise than auditing a JavaScript one, and the patterns that actually find problems are specific to how the ecosystem works.
Managing Python Package Namespace Conflicts
Python's flat namespace creates real security problems. Here is how namespace packages, shadowing, and install order interact, and how to avoid the surprises.
Rust no_std Supply Chain Considerations
Writing Rust for embedded or kernel targets drops you into no_std territory, and the supply chain rules are different there. A practical look at what changes and why.
The OSS Pledge: Adoption Tracking at Six Months
Six months after the OSS Pledge launch, adoption is climbing but uneven. Who signed, who followed through with funding, and what the pledge has actually shifted in open-source economics.
Kotlin Multiplatform Supply Chain Risks
Kotlin Multiplatform ships one codebase to JVM, iOS, Android, JS, and native targets. The supply chain surface expands in specific ways worth tracking.
CNCF Project Security Audits: What They Find and Why They Matter
The Cloud Native Computing Foundation funds independent security audits for its projects. The findings reveal patterns that every cloud native adopter should understand.