Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
What is Dependency Management
Dependency management means tracking, scanning, and patching the open source packages your app relies on -- here's how it works and why it matters.
Known Vulnerabilities in Dependencies
Known vulnerabilities in dependencies cause most supply-chain breaches, not because they're undetected but because teams can't tell which ones are reachable.
What is Open Source Security
Open source powers 70-90% of modern codebases. Learn what open source security means, its real risks, and how reachability analysis cuts through the noise.
Wolfi: the community Linux 'undistro'
Wolfi calls itself an "undistro," not a distro — and it's the open-source foundation under Chainguard Images. Here's what that actually means, and where the gaps are.
Go Modules Supply Chain Program Blueprint 2026
A 2026 blueprint for Go modules supply chain security — from proxy and checksum database to vendoring and binary provenance — anchored by Safeguard.
apko and melange: declarative container build tools
How Chainguard's apko and melange replace Dockerfiles with declarative, reproducible builds — and where the security claims need independent verification.
Rust Cargo Supply Chain Defence Program
A 2026 defence program for Rust and Cargo — covering crates.io, build scripts, proc-macros, and binary provenance — anchored by Safeguard policy gates.
Open Source Vulnerability Database Comparison 2026
Comparing the major open source vulnerability databases in 2026: NVD, OSV, GHSA, GitLab Advisory, and ecosystem-specific feeds measured on coverage and freshness.
Open Source Funding Crisis: What It Means for Your Tree
Critical infrastructure depends on unpaid maintainers, and burnout creates openings attackers exploit. xz-utils was the warning shot, not the exception.
.NET / NuGet Enterprise Supply Chain Program
An enterprise-grade .NET and NuGet supply chain program for 2026 — covering feeds, lockfiles, MSBuild targets, and runtime — backed by Safeguard.
Ruby / Bundler Supply Chain Program 2026
A 2026 supply chain program for Ruby and Bundler — covering RubyGems, Gemfile.lock, native extensions, and Rails — anchored by Safeguard policy gates.
crates.io's Security Team in 2026: Response Workflow, Notification Policy Change, and the Alpha-Omega Investment
After the September 2025 phishing wave and the December evm-units removal, the crates.io team announced a notification policy update in February 2026 and the Rust Foundation deployed crate-scanning infrastructure funded by Alpha-Omega.