Supply Chain
In-depth guides and analysis on supply chain from the Safeguard engineering team.
46 articles
SCA Code: What Composition Analysis Actually Reads in Your Repo
A concrete look at which files SCA tooling actually parses in a repository, how it builds a dependency tree, and why SCA is required even when your own code is clean.
npm Vulnerabilities: Detection, Triage, and Fix Workflow
Known CVEs and hostile packages are two different problems that share one dependency tree. A workflow for detecting npm vulnerabilities, triaging by reachability, and fixing without breaking your lockfile.
SBOM File Formats, Explained
An SBOM file is only useful if the tools reading it agree on its structure — here's what CycloneDX, SPDX, and SWID actually look like and when each one fits.
When to Fork an Abandoned Dependency
Forking looks like a one-time action but is really a multi-year maintenance commitment. Here is a decision framework for when a fork beats patching, vendoring, or replacing.
SBOM Example: Reading a Real CycloneDX and SPDX Document
One component, two formats: a field-by-field walkthrough of a real CycloneDX and SPDX SBOM — purls, licenses, hashes, dependency graphs, and how to validate your own.
The boltdb-go Backdoor: A Three-Year Go Module Mirror Persistence
A typosquat of boltdb hid a Go module mirror cache-poisoning attack for three years before Socket researchers disclosed it on January 30, 2025.
SBOM Full Form and Why It Matters Now
SBOM full form is Software Bill of Materials — a complete inventory of the components in an application. Here's what it actually contains and why it matters today.
SCA in Cyber Security: What It Actually Means
SCA in cyber security stands for software composition analysis — the practice of identifying every open-source component in an application and checking it against known vulnerabilities and licenses.
What Does SCA Stand For, and Why Does It Matter Now?
SCA stands for software composition analysis, and it matters more in 2024 than it did five years ago because open source now makes up the majority of most codebases.
SCA Meaning and Full Form: Software Composition Analysis Explained
SCA stands for Software Composition Analysis — the practice of scanning your dependencies for known vulnerabilities and license risk. Here's the full form and how it actually works.