Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
npm audit vs Snyk: comparing vulnerability scanners
npm audit is free and built-in; Snyk adds reachability analysis and auto-fix PRs. Here's how they really compare on data, false positives, and supply chain attacks.
OpenSSF's Maintainer Handoff Governance: From Burnout-Driven Sabotage to Structured Repository Transfer
After colors.js, event-stream, and the colors-faker sabotage incidents, the OpenSSF Securing Software Repositories WG drafted guidance for when registries should allow ownership transfer of long-standing projects. Here is the defender view.
Software Composition Analysis (SCA)
SCA finds every open source package in your code and flags known CVEs against it. Here's how it works, its blind spots, and how to fix them.
Node.js Supply Chain Defence Program 2026
A practical 2026 blueprint for hardening Node.js supply chains across npm, lockfiles, scripts, and runtime — and where Safeguard plugs into the program.
Python Monorepo Supply Chain Controls 2026
How to design supply chain controls for a Python monorepo in 2026 — from PyPI quarantine to wheel provenance — with Safeguard as the policy backbone.
Java/Spring Supply Chain Defence Blueprint 2026
A 2026 blueprint for hardening Java and Spring supply chains across Maven, Gradle, fat JARs, and runtime — with Safeguard as the policy and evidence layer.
What Are Transitive Dependencies
Transitive dependencies are the packages your code never directly imports but inherits anyway — and where 84% of open source CVEs actually live.
Direct vs Transitive Dependencies
Most known vulnerabilities live in transitive dependencies, not the ones in your manifest. Here's how to tell them apart and prioritize what's exploitable.
Open Source License Compliance
Redis, Elasticsearch, and Terraform all changed licenses in the last three years. Here's how license compliance actually breaks, and how to catch it before you ship.
Types of Open Source Licenses
A breakdown of permissive, copyleft, and source-available license types—MIT, GPL, AGPL, SSPL—and why misclassified licenses create hidden supply chain risk.
Copyleft vs Permissive Licenses
Copyleft and permissive licenses trigger different legal obligations. Here's how GPL, AGPL, MIT, and Apache 2.0 actually differ — with real lawsuits and relicensing cases.
Software Dependencies: How to Manage Them at Scale
Most apps run 10-20x more dependencies than engineers chose. Here's how reachability analysis and automation manage that risk at scale.