Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Software Supply Chain Security

Typosquatting and malicious Go modules published to pkg.g...

How malicious Go modules exploit pkg.go.dev's open publishing model, real typosquatting attacks like steelpoor/tlsproxy, and why Go's module proxy makes cleanup so hard.

Feb 4, 20268 min read
Open Source Security

Scanning Go codebases for known vulnerabilities with govu...

A practical govulncheck tutorial for scanning Go codebases for known vulnerabilities, auditing dependencies, and wiring checks into your CI pipeline.

Feb 3, 20267 min read
Open Source Security

RubyGems supply chain attacks: gem typosquatting and hija...

A look at RubyGems typosquatting and maintainer takeovers: how malicious Ruby gems slip into the supply chain, and what actually stops them.

Feb 3, 20267 min read
Open Source Security

Bundler dependency pinning and Gemfile.lock as a supply c...

A step-by-step guide to Gemfile.lock security: pin gems deliberately, enforce ruby lockfile integrity with checksums, and lock down bundle install in CI/CD.

Feb 2, 20268 min read
Open Source Security

Auditing Ruby dependencies for known CVEs with bundler-audit

A step-by-step bundler-audit tutorial for scanning Ruby gems against known CVEs, patching vulnerable dependencies, and enforcing the check in CI.

Feb 2, 20267 min read
Open Source Security

Case study: RubyGems account takeover incidents and their...

A look at real RubyGems account takeover incidents, including the rest-client hijack, and what they reveal about Ruby supply chain risk.

Feb 2, 20268 min read
Open Source Security

Hex.pm package registry security and Elixir supply chain ...

Hex.pm blocks install-time scripts npm allows, but Elixir dependency risk still hides in native builds, Erlang CVEs, and thin registry-side vetting. Here's what to watch.

Feb 1, 20267 min read
Open Source Security

Mix dependency management and mix.lock integrity in Elixi...

A practical guide to mix.lock integrity: pinning Elixir dependencies, verifying lockfile hashes, and preventing supply chain tampering in mix.exs projects.

Feb 1, 20268 min read
Open Source Security

Auditing Elixir and Phoenix apps with mix_audit and Sobelow

A hands-on mix_audit Sobelow tutorial for scanning Elixir and Phoenix apps: dependency audits, static analysis, CI wiring, and triage tips.

Feb 1, 20267 min read
Open Source Security

NuGet supply chain attacks: typosquatting and dependency ...

NuGet typosquatting and dependency confusion let attackers plant malicious packages in .NET builds. Here's how real campaigns worked and how to stop them.

Jan 31, 20268 min read
Open Source Security

NuGet package signing, source mapping, and verifying pack...

A practical guide to NuGet package signing, source mapping, and provenance verification for .NET teams — with commands, config, and a troubleshooting checklist.

Jan 31, 20268 min read
Open Source Security

Finding vulnerable .NET dependencies with dotnet list pac...

A step-by-step guide to scanning C# projects for vulnerable NuGet packages using dotnet list package --vulnerable, plus how to fix and monitor them continuously.

Jan 31, 20267 min read
open-source-security (Page 11) — Safeguard Blog