Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

What is SCA? Software Composition Analysis explained

SCA scans your open-source dependencies for known vulnerabilities and license risk. Here's what it checks, how it differs from SAST, and why reachability matters.

Jun 3, 20266 min read
Open Source Security

npm's shift from implicit to explicit trust: what changed...

npm quietly rebuilt its trust model in 2025 after the chalk/debug hijack and the Shai-Hulud worm. Here's what changed, why JFrog's curation model isn't enough, and how Safeguard closes the gap.

May 29, 20267 min read
Open Source Security

10 npm security best practices

Real npm supply-chain incidents from event-stream to the 2025 chalk/debug hack, and 10 concrete practices to stop install-time attacks, typosquatting, and token theft.

May 28, 20267 min read
Open Source Security

Best Software Composition Analysis tools/services ranked ...

We compare Safeguard and Mend.io on verifiable SCA dimensions — company history, Renovate, SBOM depth, and build provenance — for buyers evaluating tools in 2026.

May 27, 20268 min read
Open Source Security

Open source vulnerability management workflow (detect, pr...

A concrete look at the detect-prioritize-remediate workflow for open source vulnerability management, where Mend.io's SCA approach falls short, and how Safeguard closes the gap.

May 24, 20267 min read
Open Source Security

Reachability analysis for prioritizing vulnerable depende...

Most flagged CVEs in your dependency tree are never executed. Here's how reachability analysis application security separates exploitable risk from noise—and how Safeguard compares to Mend.io.

May 23, 20268 min read
Open Source Security

Contextual project classification for SCA accuracy

Flat SCA scanning treats every dependency the same, burying real risk under test-path noise. Here's how contextual project classification fixes accuracy — and where Mend.io falls short.

May 23, 20267 min read
Open Source Security

Automated dependency updates and patch management

How automated dependency updates actually close the patch gap—where Mend.io's approach falls short, and what reachability, provenance, and policy-as-code add.

May 21, 20267 min read
Open Source Security

ROI of automated dependency management (Renovate Enterprise)

Automated dependency updates promise real ROI, but Renovate Enterprise's PR-scheduling model often stalls at the review bottleneck. Here's how to measure the real numbers.

May 21, 20267 min read
Open Source Security

Malicious packages and malware campaigns: the new reality...

Malicious open source packages don't wait for a CVE. See how npm worms, xz utils, and typosquats evade legacy SCA — and what real detection requires.

May 21, 20267 min read
Open Source Security

Maven Central's January 2025 Sigstore Validation Launch: Bringing Java Provenance to the Central Publisher Portal

Sonatype's Central Publisher Portal began validating Sigstore signature bundles in January 2025 alongside the existing PGP requirement. Here is the defender view of how the Java ecosystem's provenance story is finally catching up.

May 15, 20267 min read
Open Source Security

What is the BSD license? Top 10 questions answered

The BSD license explained: its 0-, 2-, 3-, and 4-clause variants, how it differs from MIT and GPL, and which real projects run on it.

May 9, 20268 min read
Open Source Security (Page 3) — Supply Chain Security Blog | Safeguard