Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

npm audit vs Snyk: comparing vulnerability scanners

npm audit is free and built-in; Snyk adds reachability analysis and auto-fix PRs. Here's how they really compare on data, false positives, and supply chain attacks.

Apr 20, 20267 min read
Open Source Security

OpenSSF's Maintainer Handoff Governance: From Burnout-Driven Sabotage to Structured Repository Transfer

After colors.js, event-stream, and the colors-faker sabotage incidents, the OpenSSF Securing Software Repositories WG drafted guidance for when registries should allow ownership transfer of long-standing projects. Here is the defender view.

Apr 15, 20266 min read
Open Source Security

Software Composition Analysis (SCA)

SCA finds every open source package in your code and flags known CVEs against it. Here's how it works, its blind spots, and how to fix them.

Apr 15, 20266 min read
Open Source Security

Node.js Supply Chain Defence Program 2026

A practical 2026 blueprint for hardening Node.js supply chains across npm, lockfiles, scripts, and runtime — and where Safeguard plugs into the program.

Apr 12, 20267 min read
Open Source Security

Python Monorepo Supply Chain Controls 2026

How to design supply chain controls for a Python monorepo in 2026 — from PyPI quarantine to wheel provenance — with Safeguard as the policy backbone.

Apr 8, 20267 min read
Open Source Security

Java/Spring Supply Chain Defence Blueprint 2026

A 2026 blueprint for hardening Java and Spring supply chains across Maven, Gradle, fat JARs, and runtime — with Safeguard as the policy and evidence layer.

Apr 4, 20267 min read
Open Source Security

What Are Transitive Dependencies

Transitive dependencies are the packages your code never directly imports but inherits anyway — and where 84% of open source CVEs actually live.

Apr 3, 20266 min read
Open Source Security

Direct vs Transitive Dependencies

Most known vulnerabilities live in transitive dependencies, not the ones in your manifest. Here's how to tell them apart and prioritize what's exploitable.

Apr 3, 20267 min read
Open Source Security

Open Source License Compliance

Redis, Elasticsearch, and Terraform all changed licenses in the last three years. Here's how license compliance actually breaks, and how to catch it before you ship.

Apr 3, 20267 min read
Open Source Security

Types of Open Source Licenses

A breakdown of permissive, copyleft, and source-available license types—MIT, GPL, AGPL, SSPL—and why misclassified licenses create hidden supply chain risk.

Apr 2, 20267 min read
Open Source Security

Copyleft vs Permissive Licenses

Copyleft and permissive licenses trigger different legal obligations. Here's how GPL, AGPL, MIT, and Apache 2.0 actually differ — with real lawsuits and relicensing cases.

Apr 2, 20267 min read
Open Source Security

Software Dependencies: How to Manage Them at Scale

Most apps run 10-20x more dependencies than engineers chose. Here's how reachability analysis and automation manage that risk at scale.

Apr 2, 20266 min read
Open Source Security (Page 5) — Supply Chain Security Blog | Safeguard