Software Supply Chain Security
In-depth guides and analysis on software supply chain security from the Safeguard engineering team.
175 articles
Cargo.lock integrity and reproducible builds as a supply ...
Cargo.lock pins your dependency tree, but only reproducible builds prove the binary you ship matches the source you reviewed and approved.
Event-Stream npm 2018: Package Trust Lessons That Still Apply
The event-stream npm incident remains the cleanest case study in maintainer-handoff risk. What it taught the ecosystem, and what we still ignore in 2026.
Sigstore Rekor Transparency Log Deep Dive 2026
How Rekor actually works in 2026, the trade-offs of the current Merkle tree design, witness diversity, and the operational realities of verifying inclusion at scale.
Case study: crates.io maintainer account takeover and mal...
How a compromised maintainer credential becomes a crates.io account takeover and a malicious crate version in the Rust software supply chain.
Go module proxy security: how GOPROXY and sum.golang.org ...
How GOPROXY and sum.golang.org protect Go builds with caching and checksum verification, and where trust-on-first-use gaps let malicious modules slip through.
Typosquatting and malicious Go modules published to pkg.g...
How malicious Go modules exploit pkg.go.dev's open publishing model, real typosquatting attacks like steelpoor/tlsproxy, and why Go's module proxy makes cleanup so hard.
What is a Private Package Registry
A private package registry controls who can publish and pull internal and third-party code — but only if it's configured to block, not just cache, public fallback resolution.
What is Artifact Repository Security
Artifact repositories are prime attack targets — one poisoned package reaches every downstream consumer. Here's what actually secures them.
What is Reproducible Builds
Reproducible builds let anyone recompile source code and cryptographically verify the binary matches — closing the gap attackers exploit when they compromise build systems, not source code.
Anatomy of a Go module supply chain compromise: lessons f...
Real incidents like the xz-utils backdoor reveal the anatomy of a go module supply chain compromise: maintainer trust, init() execution, and immutable proxy caching.
CocoaPods supply chain security and Podfile.lock integrit...
A 2024 CocoaPods Trunk server flaw let attackers hijack orphaned pods and exposed a deeper gap: Podfile.lock never verified dependency integrity in the first place.
iOS app supply chain risk from third-party SDKs and ad li...
Third-party SDKs and ad libraries run inside your iOS app with your app's permissions. Here's how ios sdk supply chain risk hides in plain sight — and what Safeguard does about it.