Safeguard
Topic

Supply Chain

In-depth guides and analysis on supply chain from the Safeguard engineering team.

46 articles

Supply Chain

SCA Code: What Composition Analysis Actually Reads in Your Repo

A concrete look at which files SCA tooling actually parses in a repository, how it builds a dependency tree, and why SCA is required even when your own code is clean.

Apr 2, 20255 min read
Supply Chain

npm Vulnerabilities: Detection, Triage, and Fix Workflow

Known CVEs and hostile packages are two different problems that share one dependency tree. A workflow for detecting npm vulnerabilities, triaging by reachability, and fixing without breaking your lockfile.

Mar 18, 20256 min read
Supply Chain

SBOM File Formats, Explained

An SBOM file is only useful if the tools reading it agree on its structure — here's what CycloneDX, SPDX, and SWID actually look like and when each one fits.

Mar 18, 20255 min read
Supply Chain

When to Fork an Abandoned Dependency

Forking looks like a one-time action but is really a multi-year maintenance commitment. Here is a decision framework for when a fork beats patching, vendoring, or replacing.

Mar 18, 20256 min read
Supply Chain

SBOM Example: Reading a Real CycloneDX and SPDX Document

One component, two formats: a field-by-field walkthrough of a real CycloneDX and SPDX SBOM — purls, licenses, hashes, dependency graphs, and how to validate your own.

Mar 18, 20256 min read
Supply Chain

The boltdb-go Backdoor: A Three-Year Go Module Mirror Persistence

A typosquat of boltdb hid a Go module mirror cache-poisoning attack for three years before Socket researchers disclosed it on January 30, 2025.

Feb 5, 20256 min read
Supply Chain

SBOM Full Form and Why It Matters Now

SBOM full form is Software Bill of Materials — a complete inventory of the components in an application. Here's what it actually contains and why it matters today.

Aug 19, 20244 min read
Supply Chain

SCA in Cyber Security: What It Actually Means

SCA in cyber security stands for software composition analysis — the practice of identifying every open-source component in an application and checking it against known vulnerabilities and licenses.

Jul 30, 20245 min read
Supply Chain

What Does SCA Stand For, and Why Does It Matter Now?

SCA stands for software composition analysis, and it matters more in 2024 than it did five years ago because open source now makes up the majority of most codebases.

Mar 12, 20245 min read
Supply Chain

SCA Meaning and Full Form: Software Composition Analysis Explained

SCA stands for Software Composition Analysis — the practice of scanning your dependencies for known vulnerabilities and license risk. Here's the full form and how it actually works.

Feb 8, 20245 min read
Supply Chain (Page 4) — Supply Chain Security Blog | Safeguard