open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
Typosquatting and malicious Go modules published to pkg.g...
How malicious Go modules exploit pkg.go.dev's open publishing model, real typosquatting attacks like steelpoor/tlsproxy, and why Go's module proxy makes cleanup so hard.
Scanning Go codebases for known vulnerabilities with govu...
A practical govulncheck tutorial for scanning Go codebases for known vulnerabilities, auditing dependencies, and wiring checks into your CI pipeline.
RubyGems supply chain attacks: gem typosquatting and hija...
A look at RubyGems typosquatting and maintainer takeovers: how malicious Ruby gems slip into the supply chain, and what actually stops them.
Bundler dependency pinning and Gemfile.lock as a supply c...
A step-by-step guide to Gemfile.lock security: pin gems deliberately, enforce ruby lockfile integrity with checksums, and lock down bundle install in CI/CD.
Auditing Ruby dependencies for known CVEs with bundler-audit
A step-by-step bundler-audit tutorial for scanning Ruby gems against known CVEs, patching vulnerable dependencies, and enforcing the check in CI.
Case study: RubyGems account takeover incidents and their...
A look at real RubyGems account takeover incidents, including the rest-client hijack, and what they reveal about Ruby supply chain risk.
Hex.pm package registry security and Elixir supply chain ...
Hex.pm blocks install-time scripts npm allows, but Elixir dependency risk still hides in native builds, Erlang CVEs, and thin registry-side vetting. Here's what to watch.
Mix dependency management and mix.lock integrity in Elixi...
A practical guide to mix.lock integrity: pinning Elixir dependencies, verifying lockfile hashes, and preventing supply chain tampering in mix.exs projects.
Auditing Elixir and Phoenix apps with mix_audit and Sobelow
A hands-on mix_audit Sobelow tutorial for scanning Elixir and Phoenix apps: dependency audits, static analysis, CI wiring, and triage tips.
NuGet supply chain attacks: typosquatting and dependency ...
NuGet typosquatting and dependency confusion let attackers plant malicious packages in .NET builds. Here's how real campaigns worked and how to stop them.
NuGet package signing, source mapping, and verifying pack...
A practical guide to NuGet package signing, source mapping, and provenance verification for .NET teams — with commands, config, and a troubleshooting checklist.
Finding vulnerable .NET dependencies with dotnet list pac...
A step-by-step guide to scanning C# projects for vulnerable NuGet packages using dotnet list package --vulnerable, plus how to fix and monitor them continuously.