Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Best Practices

6 free GitHub security settings every maintainer should e...

GitHub Advanced Security costs per committer, but six free GitHub repository security settings — from 2FA to secret scanning — already stop most real-world supply chain attacks.

Jul 1, 20267 min read
Open Source Security

Dependabot security updates and automated dependency pull...

Dependabot opens patch PRs from known CVEs, but backlogs pile up and malicious packages slip through. Here's what it misses versus GitHub Advanced Security.

Jun 30, 20267 min read
Open Source Security

Dependabot malware detection in open source packages

Dependabot catches known vulnerabilities, not injected malware. Here's how GitHub Advanced Security handles malicious packages — and where the gaps remain.

Jun 29, 20267 min read
Open Source Security

Auto-triage rules for Dependabot pull requests at scale

Dependabot floods teams with PRs, but not every alert deserves equal attention. Here's how auto-triage rules cut noise at scale, and where GHAS falls short.

Jun 29, 20268 min read
Software Supply Chain Security

Preventing malicious packages with automated detection

Malicious npm and PyPI packages skip CVEs entirely. Here's how attackers get them published and how automated detection catches them before they ship.

Jun 29, 20266 min read
Compliance

What open source scans miss in M&A due diligence

Open source composition scans like Black Duck catch known packages and licenses — but M&A due diligence needs to catch what those scans miss too.

Jun 15, 20268 min read
Vulnerability Analysis

Cybersecurity Research Center (CyRC): vulnerability resea...

What is Black Duck's CyRC, how does it research and disclose vulnerabilities, and where do its coverage gaps leave your open source supply chain exposed?

Jun 10, 20267 min read
Buyer's Guides

Compare Sonatype / Why Choose Sonatype

Comparing Safeguard and Sonatype on origin, CVE-vs-malicious-package coverage, AI-agent (MCP) support, and CI/CD fit — a practical guide to Sonatype alternatives.

Jun 8, 20267 min read
AI Security

AI Is Forcing a New Open Source Security Model

AI coding agents now choose dependencies — and attackers are exploiting hallucinated packages and MCP backdoors that legacy SCA tools like Sonatype's were never built to catch.

Jun 7, 20267 min read
SBOM

Software Dependency Cooldown Policies

A dependency cooldown policy delays new package versions for a set window so the ecosystem can catch malicious releases before they reach your build pipeline.

Jun 6, 20267 min read
Threat Intelligence

Sonatype Firewall: Malicious Package Protection

Sonatype's Repository Firewall blocks known malicious packages at the door, but timing gaps and single-source blind spots still let real threats through.

Jun 5, 20267 min read
Open Source Security

What is SCA? Software Composition Analysis explained

SCA scans your open-source dependencies for known vulnerabilities and license risk. Here's what it checks, how it differs from SAST, and why reachability matters.

Jun 3, 20266 min read
open-source-security (Page 4) — Safeguard Blog