Safeguard
Topic

Supply Chain

In-depth guides and analysis on supply chain from the Safeguard engineering team.

46 articles

Supply Chain

Open Source Security Platforms: What They Actually Do

An open source security platform isn't one tool — it's usually a combination of SCA, license scanning, and vulnerability intelligence stitched into a pipeline that watches your dependencies.

Mar 30, 20266 min read
Supply Chain

GitHub Actions Immutable Actions GA: Why OCI-Backed Action Distribution Closes the tj-actions Class of Attack

GitHub's 2026 roadmap puts Immutable Actions GA at the center of Actions supply-chain hardening, publishing actions as OCI artifacts with hash-mismatch fail-fast and full composite-action visibility.

Mar 25, 20266 min read
Supply Chain

Software Supply Chain Security News: How to Actually Track It

Software supply chain security news moves across a dozen disconnected sources — registries, CVE feeds, vendor blogs — here's a repeatable system for not missing the one that hits you.

Mar 24, 20265 min read
Supply Chain

PyPI Malware in 2026: What Changed

PyPI malware today looks less like typosquats and more like AI-assisted campaigns that mimic legitimate maintainers — here's what shifted and how teams are catching it before install.

Mar 11, 20265 min read
Supply Chain

Supply Chain Vulnerability Protection: A Checklist

A working checklist for supply chain vulnerability protection, from dependency inventory through SBOM generation and continuous re-scanning, built for teams shipping today.

Mar 9, 20265 min read
Supply Chain

Trusted Publishing Across Every Major Registry: The 2026 State of OIDC-Backed Publishing

By end of 2025, Trusted Publishing landed on PyPI, RubyGems, npm, crates.io, and NuGet. PyPI alone crossed one million Trusted-Publisher uploads. Here is the defender view of the cross-ecosystem rollout.

Mar 3, 20266 min read
Supply Chain

Blocking Malicious Packages at the Proxy Level With Artifactory

Once a compromised dependency reaches a laptop or CI runner, you are doing incident response. Blocked at the Artifactory proxy, it is a log line. Here is the configuration that makes that happen.

Feb 18, 20266 min read
Supply Chain

SCA Security Tools: A Practical Shortlist

A working shortlist of SCA security tools, what actually differentiates them beyond CVE counts, and how to pick an sca solution that fits your ecosystem.

Feb 18, 20265 min read
Supply Chain

Open Source Security Management: From Policy to Pipeline

A policy document nobody enforces is theater. Here is how to turn open source rules into pipeline checks that developers can live with.

Feb 12, 20265 min read
Supply Chain

PyPI Security: Malware Campaigns and How to Defend

The Python Package Index has become a first-class malware channel — from the ctx hijack to the ultralytics pipeline compromise. Here are the campaigns worth studying and the defenses that work.

Feb 12, 20266 min read
Supply Chain

Open Source Vulnerability Management Tools, Compared

OSV-Scanner, Trivy, Grype, and Dependency-Check all find known CVEs for free, but they differ sharply in language coverage, database freshness, and how far they get you toward an actual fix.

Feb 11, 20266 min read
Supply Chain

Inside PyPI Project Quarantine: How the Reversible Takedown Workflow Has Performed Since Launch

PyPI's Project Quarantine status, introduced in August 2024 and used roughly 140 times in its first year, replaces irreversible deletions with a reversible hidden state. Here is how the workflow operates and how to consume the signal.

Feb 4, 20266 min read
Supply Chain (Page 2) — Supply Chain Security Blog | Safeguard