Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
What is SCA? Software Composition Analysis explained
SCA scans your open-source dependencies for known vulnerabilities and license risk. Here's what it checks, how it differs from SAST, and why reachability matters.
npm's shift from implicit to explicit trust: what changed...
npm quietly rebuilt its trust model in 2025 after the chalk/debug hijack and the Shai-Hulud worm. Here's what changed, why JFrog's curation model isn't enough, and how Safeguard closes the gap.
10 npm security best practices
Real npm supply-chain incidents from event-stream to the 2025 chalk/debug hack, and 10 concrete practices to stop install-time attacks, typosquatting, and token theft.
Best Software Composition Analysis tools/services ranked ...
We compare Safeguard and Mend.io on verifiable SCA dimensions — company history, Renovate, SBOM depth, and build provenance — for buyers evaluating tools in 2026.
Open source vulnerability management workflow (detect, pr...
A concrete look at the detect-prioritize-remediate workflow for open source vulnerability management, where Mend.io's SCA approach falls short, and how Safeguard closes the gap.
Reachability analysis for prioritizing vulnerable depende...
Most flagged CVEs in your dependency tree are never executed. Here's how reachability analysis application security separates exploitable risk from noise—and how Safeguard compares to Mend.io.
Contextual project classification for SCA accuracy
Flat SCA scanning treats every dependency the same, burying real risk under test-path noise. Here's how contextual project classification fixes accuracy — and where Mend.io falls short.
Automated dependency updates and patch management
How automated dependency updates actually close the patch gap—where Mend.io's approach falls short, and what reachability, provenance, and policy-as-code add.
ROI of automated dependency management (Renovate Enterprise)
Automated dependency updates promise real ROI, but Renovate Enterprise's PR-scheduling model often stalls at the review bottleneck. Here's how to measure the real numbers.
Malicious packages and malware campaigns: the new reality...
Malicious open source packages don't wait for a CVE. See how npm worms, xz utils, and typosquats evade legacy SCA — and what real detection requires.
Maven Central's January 2025 Sigstore Validation Launch: Bringing Java Provenance to the Central Publisher Portal
Sonatype's Central Publisher Portal began validating Sigstore signature bundles in January 2025 alongside the existing PGP requirement. Here is the defender view of how the Java ecosystem's provenance story is finally catching up.
What is the BSD license? Top 10 questions answered
The BSD license explained: its 0-, 2-, 3-, and 4-clause variants, how it differs from MIT and GPL, and which real projects run on it.