open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
6 free GitHub security settings every maintainer should e...
GitHub Advanced Security costs per committer, but six free GitHub repository security settings — from 2FA to secret scanning — already stop most real-world supply chain attacks.
Dependabot security updates and automated dependency pull...
Dependabot opens patch PRs from known CVEs, but backlogs pile up and malicious packages slip through. Here's what it misses versus GitHub Advanced Security.
Dependabot malware detection in open source packages
Dependabot catches known vulnerabilities, not injected malware. Here's how GitHub Advanced Security handles malicious packages — and where the gaps remain.
Auto-triage rules for Dependabot pull requests at scale
Dependabot floods teams with PRs, but not every alert deserves equal attention. Here's how auto-triage rules cut noise at scale, and where GHAS falls short.
Preventing malicious packages with automated detection
Malicious npm and PyPI packages skip CVEs entirely. Here's how attackers get them published and how automated detection catches them before they ship.
What open source scans miss in M&A due diligence
Open source composition scans like Black Duck catch known packages and licenses — but M&A due diligence needs to catch what those scans miss too.
Cybersecurity Research Center (CyRC): vulnerability resea...
What is Black Duck's CyRC, how does it research and disclose vulnerabilities, and where do its coverage gaps leave your open source supply chain exposed?
Compare Sonatype / Why Choose Sonatype
Comparing Safeguard and Sonatype on origin, CVE-vs-malicious-package coverage, AI-agent (MCP) support, and CI/CD fit — a practical guide to Sonatype alternatives.
AI Is Forcing a New Open Source Security Model
AI coding agents now choose dependencies — and attackers are exploiting hallucinated packages and MCP backdoors that legacy SCA tools like Sonatype's were never built to catch.
Software Dependency Cooldown Policies
A dependency cooldown policy delays new package versions for a set window so the ecosystem can catch malicious releases before they reach your build pipeline.
Sonatype Firewall: Malicious Package Protection
Sonatype's Repository Firewall blocks known malicious packages at the door, but timing gaps and single-source blind spots still let real threats through.
What is SCA? Software Composition Analysis explained
SCA scans your open-source dependencies for known vulnerabilities and license risk. Here's what it checks, how it differs from SAST, and why reachability matters.