Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
Hugging Face's Guardian-Plus-Picklescan Stack: How the Model Hub Scanning Posture Evolved Through 2025-2026
Following NullifAI and the broken-pickle bypass campaigns, Hugging Face layered Protect AI's Guardian on top of Picklescan, ClamAV, and secrets scanning across 1.5 million public models. Here is the defender view of the new pipeline.
NuGet Package Signing Status in 2026
NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what .NET teams actually need to know.
How to set up software composition analysis (SCA)
A practical, step-by-step guide to setting up software composition analysis: choosing a tool, setting policy, and integrating scans into CI/CD.
Maven Central Sigstore Migration Status
Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.
What is a Software License
A software license governs how open source code can be used, modified, and redistributed — and license conflicts now carry real contract-law risk, as the Vizio GPL case shows.
What is Open Source Software
Open source software now sits in 96% of codebases. Here's what OSS actually is, how licensing works, and where the real security risk hides.
What is a Package Manager
Package managers like npm and pip automate dependency resolution — and have been the entry point for incidents from event-stream to the xz-utils backdoor.
What is npm Security
A concrete look at npm security: real 2025 supply chain attacks on chalk and debug, the Shai-Hulud worm, and how teams actually defend the npm dependency tree.
What is PyPI Security
PyPI security stops typosquats, dependency confusion, and poisoned CI builds before pip install ever runs your code.
What is Maven Security
Maven security covers vulnerable dependencies, malicious plugins, and build-time risks in Java projects -- from Log4Shell to transitive dependency sprawl.
Go Module Checksum Database In Depth
The Go checksum database is one of the most successful supply chain controls in any mainstream ecosystem. Here is how it actually works and where it still has edges.
Using cargo-audit and the RustSec Advisory Database to ca...
A hands-on cargo-audit tutorial: scan Rust dependencies against the RustSec advisory database, interpret results, and block vulnerable crates before they ship.