Supply Chain
In-depth guides and analysis on supply chain from the Safeguard engineering team.
46 articles
Open Source Security Platforms: What They Actually Do
An open source security platform isn't one tool — it's usually a combination of SCA, license scanning, and vulnerability intelligence stitched into a pipeline that watches your dependencies.
GitHub Actions Immutable Actions GA: Why OCI-Backed Action Distribution Closes the tj-actions Class of Attack
GitHub's 2026 roadmap puts Immutable Actions GA at the center of Actions supply-chain hardening, publishing actions as OCI artifacts with hash-mismatch fail-fast and full composite-action visibility.
Software Supply Chain Security News: How to Actually Track It
Software supply chain security news moves across a dozen disconnected sources — registries, CVE feeds, vendor blogs — here's a repeatable system for not missing the one that hits you.
PyPI Malware in 2026: What Changed
PyPI malware today looks less like typosquats and more like AI-assisted campaigns that mimic legitimate maintainers — here's what shifted and how teams are catching it before install.
Supply Chain Vulnerability Protection: A Checklist
A working checklist for supply chain vulnerability protection, from dependency inventory through SBOM generation and continuous re-scanning, built for teams shipping today.
Trusted Publishing Across Every Major Registry: The 2026 State of OIDC-Backed Publishing
By end of 2025, Trusted Publishing landed on PyPI, RubyGems, npm, crates.io, and NuGet. PyPI alone crossed one million Trusted-Publisher uploads. Here is the defender view of the cross-ecosystem rollout.
Blocking Malicious Packages at the Proxy Level With Artifactory
Once a compromised dependency reaches a laptop or CI runner, you are doing incident response. Blocked at the Artifactory proxy, it is a log line. Here is the configuration that makes that happen.
SCA Security Tools: A Practical Shortlist
A working shortlist of SCA security tools, what actually differentiates them beyond CVE counts, and how to pick an sca solution that fits your ecosystem.
Open Source Security Management: From Policy to Pipeline
A policy document nobody enforces is theater. Here is how to turn open source rules into pipeline checks that developers can live with.
PyPI Security: Malware Campaigns and How to Defend
The Python Package Index has become a first-class malware channel — from the ctx hijack to the ultralytics pipeline compromise. Here are the campaigns worth studying and the defenses that work.
Open Source Vulnerability Management Tools, Compared
OSV-Scanner, Trivy, Grype, and Dependency-Check all find known CVEs for free, but they differ sharply in language coverage, database freshness, and how far they get you toward an actual fix.
Inside PyPI Project Quarantine: How the Reversible Takedown Workflow Has Performed Since Launch
PyPI's Project Quarantine status, introduced in August 2024 and used roughly 140 times in its first year, replaces irreversible deletions with a reversible hidden state. Here is how the workflow operates and how to consume the signal.