Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

What is Dependency Management

Dependency management means tracking, scanning, and patching the open source packages your app relies on -- here's how it works and why it matters.

Apr 2, 20267 min read
Open Source Security

Known Vulnerabilities in Dependencies

Known vulnerabilities in dependencies cause most supply-chain breaches, not because they're undetected but because teams can't tell which ones are reachable.

Apr 1, 20267 min read
Open Source Security

What is Open Source Security

Open source powers 70-90% of modern codebases. Learn what open source security means, its real risks, and how reachability analysis cuts through the noise.

Apr 1, 20266 min read
Open Source Security

Wolfi: the community Linux 'undistro'

Wolfi calls itself an "undistro," not a distro — and it's the open-source foundation under Chainguard Images. Here's what that actually means, and where the gaps are.

Mar 31, 20267 min read
Open Source Security

Go Modules Supply Chain Program Blueprint 2026

A 2026 blueprint for Go modules supply chain security — from proxy and checksum database to vendoring and binary provenance — anchored by Safeguard.

Mar 30, 20267 min read
Open Source Security

apko and melange: declarative container build tools

How Chainguard's apko and melange replace Dockerfiles with declarative, reproducible builds — and where the security claims need independent verification.

Mar 30, 20268 min read
Open Source Security

Rust Cargo Supply Chain Defence Program

A 2026 defence program for Rust and Cargo — covering crates.io, build scripts, proc-macros, and binary provenance — anchored by Safeguard policy gates.

Mar 25, 20267 min read
Open Source Security

Open Source Vulnerability Database Comparison 2026

Comparing the major open source vulnerability databases in 2026: NVD, OSV, GHSA, GitLab Advisory, and ecosystem-specific feeds measured on coverage and freshness.

Mar 22, 20265 min read
Open Source Security

Open Source Funding Crisis: What It Means for Your Tree

Critical infrastructure depends on unpaid maintainers, and burnout creates openings attackers exploit. xz-utils was the warning shot, not the exception.

Mar 21, 20267 min read
Open Source Security

.NET / NuGet Enterprise Supply Chain Program

An enterprise-grade .NET and NuGet supply chain program for 2026 — covering feeds, lockfiles, MSBuild targets, and runtime — backed by Safeguard.

Mar 20, 20267 min read
Open Source Security

Ruby / Bundler Supply Chain Program 2026

A 2026 supply chain program for Ruby and Bundler — covering RubyGems, Gemfile.lock, native extensions, and Rails — anchored by Safeguard policy gates.

Mar 15, 20267 min read
Open Source Security

crates.io's Security Team in 2026: Response Workflow, Notification Policy Change, and the Alpha-Omega Investment

After the September 2025 phishing wave and the December evm-units removal, the crates.io team announced a notification policy update in February 2026 and the Rust Foundation deployed crate-scanning infrastructure funded by Alpha-Omega.

Mar 12, 20267 min read
Open Source Security (Page 6) — Supply Chain Security Blog | Safeguard