Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

What is Binary Composition Analysis

Binary composition analysis identifies open source components inside compiled artifacts—no source code needed. Here's how it works and why it matters.

Feb 4, 20267 min read
Open Source Security

What is License Scanning

License scanning finds every open source license in your dependency tree before it becomes a legal or compliance problem — here's how it works and why it changed in 2024.

Feb 4, 20266 min read
Open Source Security

Scanning Go codebases for known vulnerabilities with govu...

A practical govulncheck tutorial for scanning Go codebases for known vulnerabilities, auditing dependencies, and wiring checks into your CI pipeline.

Feb 3, 20267 min read
Open Source Security

RubyGems supply chain attacks: gem typosquatting and hija...

A look at RubyGems typosquatting and maintainer takeovers: how malicious Ruby gems slip into the supply chain, and what actually stops them.

Feb 3, 20267 min read
Open Source Security

Bundler dependency pinning and Gemfile.lock as a supply c...

A step-by-step guide to Gemfile.lock security: pin gems deliberately, enforce ruby lockfile integrity with checksums, and lock down bundle install in CI/CD.

Feb 2, 20268 min read
Open Source Security

Rust crates.io Supply Chain Controls in 2026

crates.io has gained real supply chain features over the past two years. Here is an honest read on what works, what is still immature, and where to invest.

Feb 2, 20266 min read
Open Source Security

Auditing Ruby dependencies for known CVEs with bundler-audit

A step-by-step bundler-audit tutorial for scanning Ruby gems against known CVEs, patching vulnerable dependencies, and enforcing the check in CI.

Feb 2, 20267 min read
Open Source Security

Case study: RubyGems account takeover incidents and their...

A look at real RubyGems account takeover incidents, including the rest-client hijack, and what they reveal about Ruby supply chain risk.

Feb 2, 20268 min read
Open Source Security

Hex.pm package registry security and Elixir supply chain ...

Hex.pm blocks install-time scripts npm allows, but Elixir dependency risk still hides in native builds, Erlang CVEs, and thin registry-side vetting. Here's what to watch.

Feb 1, 20267 min read
Open Source Security

Mix dependency management and mix.lock integrity in Elixi...

A practical guide to mix.lock integrity: pinning Elixir dependencies, verifying lockfile hashes, and preventing supply chain tampering in mix.exs projects.

Feb 1, 20268 min read
Open Source Security

Auditing Elixir and Phoenix apps with mix_audit and Sobelow

A hands-on mix_audit Sobelow tutorial for scanning Elixir and Phoenix apps: dependency audits, static analysis, CI wiring, and triage tips.

Feb 1, 20267 min read
Open Source Security

NuGet supply chain attacks: typosquatting and dependency ...

NuGet typosquatting and dependency confusion let attackers plant malicious packages in .NET builds. Here's how real campaigns worked and how to stop them.

Jan 31, 20268 min read
Open Source Security (Page 9) — Supply Chain Security Blog | Safeguard