Safeguard
Topic

Software Supply Chain Security

In-depth guides and analysis on software supply chain security from the Safeguard engineering team.

175 articles

Software Supply Chain Security

Maven Plugin Verification: Securing Your Java Build Pipeline

Maven plugins execute during your build with full JVM access. Here is how to verify they are legitimate and have not been tampered with.

May 8, 20244 min read
Software Supply Chain Security

Dependency Firewalls: Concept, Architecture, and Implementation

A dependency firewall sits between your build system and public registries, filtering packages based on security policies. Here is how to design and implement one.

Mar 25, 20247 min read
Software Supply Chain Security

Abandoned Package Takeover: When Maintainers Walk Away

Abandoned packages are ticking time bombs in the supply chain. When maintainers disappear, attackers can take over package names and push malicious updates to millions of downstream projects.

Mar 5, 20245 min read
Software Supply Chain Security

Crates.io Security Audit Results: The State of Rust Package Security

Security audits of the Rust crate ecosystem reveal patterns of unsafe code, build script risks, and supply chain vulnerabilities. Here is what the data shows.

Mar 5, 20246 min read
Software Supply Chain Security

Dependency Confusion in Private Registries: The Attack That Keeps Working

Dependency confusion exploits the gap between public and private package registries. Despite widespread awareness, organizations keep falling for it.

Feb 20, 20245 min read
Software Supply Chain Security

How to Security Audit an Open Source Project Before Adoption

Adopting an open source dependency is a trust decision. This guide provides a structured methodology for evaluating the security posture of open source projects before adding them to your supply chain.

Jan 15, 20246 min read
Software Supply Chain Security

Ansible Galaxy Security Risks: The Infrastructure Supply Chain You Forgot About

Ansible Galaxy roles and collections execute with root privileges on your infrastructure. Most teams apply zero security scrutiny to them.

Jan 8, 20244 min read
Software Supply Chain Security

Gradle Plugin Security Risks: The Code That Runs Before Your Code

Gradle plugins execute during your build with full access to your environment. Most teams never audit them. Here is why that is dangerous.

Jan 8, 20244 min read
Software Supply Chain Security

Post-Install Hooks Across Package Managers: A Comparative Security Analysis

Every package ecosystem handles install-time code execution differently. Some are permissive, some restrictive, and the differences matter for supply chain security.

Dec 10, 20235 min read
Software Supply Chain Security

Dependency Hijacking Prevention: A Comprehensive Guide

Dependency hijacking encompasses multiple attack techniques that redirect dependency resolution to attacker-controlled packages. This guide covers all major hijacking vectors and their countermeasures.

Nov 5, 20235 min read
Software Supply Chain Security

RubyGems Yanked Gems: Security Risks of Removed Ruby Packages

When a Ruby gem is yanked from RubyGems.org, it creates security risks for projects that depended on it. Understanding the yanking mechanism is critical for Ruby supply chain security.

Nov 5, 20235 min read
Software Supply Chain Security

Dart/Flutter Dependency Security: Securing the Mobile Supply Chain

Flutter's pub ecosystem is growing fast. The security tooling has not kept pace. Here is what you need to know about securing Dart dependencies.

Sep 12, 20235 min read
Software Supply Chain Security (Page 12) — Supply Chain Security Blog | Safeguard