Software Supply Chain Security
In-depth guides and analysis on software supply chain security from the Safeguard engineering team.
175 articles
Maven Plugin Verification: Securing Your Java Build Pipeline
Maven plugins execute during your build with full JVM access. Here is how to verify they are legitimate and have not been tampered with.
Dependency Firewalls: Concept, Architecture, and Implementation
A dependency firewall sits between your build system and public registries, filtering packages based on security policies. Here is how to design and implement one.
Abandoned Package Takeover: When Maintainers Walk Away
Abandoned packages are ticking time bombs in the supply chain. When maintainers disappear, attackers can take over package names and push malicious updates to millions of downstream projects.
Crates.io Security Audit Results: The State of Rust Package Security
Security audits of the Rust crate ecosystem reveal patterns of unsafe code, build script risks, and supply chain vulnerabilities. Here is what the data shows.
Dependency Confusion in Private Registries: The Attack That Keeps Working
Dependency confusion exploits the gap between public and private package registries. Despite widespread awareness, organizations keep falling for it.
How to Security Audit an Open Source Project Before Adoption
Adopting an open source dependency is a trust decision. This guide provides a structured methodology for evaluating the security posture of open source projects before adding them to your supply chain.
Ansible Galaxy Security Risks: The Infrastructure Supply Chain You Forgot About
Ansible Galaxy roles and collections execute with root privileges on your infrastructure. Most teams apply zero security scrutiny to them.
Gradle Plugin Security Risks: The Code That Runs Before Your Code
Gradle plugins execute during your build with full access to your environment. Most teams never audit them. Here is why that is dangerous.
Post-Install Hooks Across Package Managers: A Comparative Security Analysis
Every package ecosystem handles install-time code execution differently. Some are permissive, some restrictive, and the differences matter for supply chain security.
Dependency Hijacking Prevention: A Comprehensive Guide
Dependency hijacking encompasses multiple attack techniques that redirect dependency resolution to attacker-controlled packages. This guide covers all major hijacking vectors and their countermeasures.
RubyGems Yanked Gems: Security Risks of Removed Ruby Packages
When a Ruby gem is yanked from RubyGems.org, it creates security risks for projects that depended on it. Understanding the yanking mechanism is critical for Ruby supply chain security.
Dart/Flutter Dependency Security: Securing the Mobile Supply Chain
Flutter's pub ecosystem is growing fast. The security tooling has not kept pace. Here is what you need to know about securing Dart dependencies.