Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

Hugging Face's Guardian-Plus-Picklescan Stack: How the Model Hub Scanning Posture Evolved Through 2025-2026

Following NullifAI and the broken-pickle bypass campaigns, Hugging Face layered Protect AI's Guardian on top of Picklescan, ClamAV, and secrets scanning across 1.5 million public models. Here is the defender view of the new pipeline.

Feb 18, 20267 min read
Open Source Security

NuGet Package Signing Status in 2026

NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what .NET teams actually need to know.

Feb 17, 20267 min read
Open Source Security

How to set up software composition analysis (SCA)

A practical, step-by-step guide to setting up software composition analysis: choosing a tool, setting policy, and integrating scans into CI/CD.

Feb 15, 20267 min read
Open Source Security

Maven Central Sigstore Migration Status

Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.

Feb 12, 20267 min read
Open Source Security

What is a Software License

A software license governs how open source code can be used, modified, and redistributed — and license conflicts now carry real contract-law risk, as the Vizio GPL case shows.

Feb 9, 20269 min read
Open Source Security

What is Open Source Software

Open source software now sits in 96% of codebases. Here's what OSS actually is, how licensing works, and where the real security risk hides.

Feb 9, 20268 min read
Open Source Security

What is a Package Manager

Package managers like npm and pip automate dependency resolution — and have been the entry point for incidents from event-stream to the xz-utils backdoor.

Feb 8, 20267 min read
Open Source Security

What is npm Security

A concrete look at npm security: real 2025 supply chain attacks on chalk and debug, the Shai-Hulud worm, and how teams actually defend the npm dependency tree.

Feb 8, 20268 min read
Open Source Security

What is PyPI Security

PyPI security stops typosquats, dependency confusion, and poisoned CI builds before pip install ever runs your code.

Feb 8, 20267 min read
Open Source Security

What is Maven Security

Maven security covers vulnerable dependencies, malicious plugins, and build-time risks in Java projects -- from Log4Shell to transitive dependency sprawl.

Feb 8, 20267 min read
Open Source Security

Go Module Checksum Database In Depth

The Go checksum database is one of the most successful supply chain controls in any mainstream ecosystem. Here is how it actually works and where it still has edges.

Feb 7, 20266 min read
Open Source Security

Using cargo-audit and the RustSec Advisory Database to ca...

A hands-on cargo-audit tutorial: scan Rust dependencies against the RustSec advisory database, interpret results, and block vulnerable crates before they ship.

Feb 5, 20267 min read
Open Source Security (Page 8) — Supply Chain Security Blog | Safeguard