Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Supply Chain

PyPI Malware News: What's Happening and How to Detect It

PyPI malware news keeps repeating the same pattern — typosquats, compromised maintainer accounts, and post-install scripts that exfiltrate credentials — here's how to actually catch it.

Jun 2, 20265 min read
Open Source Security

npm's shift from implicit to explicit trust: what changed...

npm quietly rebuilt its trust model in 2025 after the chalk/debug hijack and the Shai-Hulud worm. Here's what changed, why JFrog's curation model isn't enough, and how Safeguard closes the gap.

May 29, 20267 min read
Open Source Security

10 npm security best practices

Real npm supply-chain incidents from event-stream to the 2025 chalk/debug hack, and 10 concrete practices to stop install-time attacks, typosquatting, and token theft.

May 28, 20267 min read
Application Security

Software Composition Analysis (SCA) explained: how it fin...

SCA scans your dependency tree against CVE databases to catch vulnerable open-source packages like Log4Shell before they reach production.

May 28, 20267 min read
Open Source Security

Best Software Composition Analysis tools/services ranked ...

We compare Safeguard and Mend.io on verifiable SCA dimensions — company history, Renovate, SBOM depth, and build provenance — for buyers evaluating tools in 2026.

May 27, 20268 min read
Compliance

Open source license management tools: features and best p...

A practical comparison of open source license management tools, contrasting Safeguard and Mend.io on detection, policy enforcement, and SBOM depth.

May 26, 20268 min read
Open Source Security

Reachability analysis for prioritizing vulnerable depende...

Most flagged CVEs in your dependency tree are never executed. Here's how reachability analysis application security separates exploitable risk from noise—and how Safeguard compares to Mend.io.

May 23, 20268 min read
Open Source Security

Contextual project classification for SCA accuracy

Flat SCA scanning treats every dependency the same, burying real risk under test-path noise. Here's how contextual project classification fixes accuracy — and where Mend.io falls short.

May 23, 20267 min read
Open Source Security

Automated dependency updates and patch management

How automated dependency updates actually close the patch gap—where Mend.io's approach falls short, and what reachability, provenance, and policy-as-code add.

May 21, 20267 min read
Open Source Security

ROI of automated dependency management (Renovate Enterprise)

Automated dependency updates promise real ROI, but Renovate Enterprise's PR-scheduling model often stalls at the review bottleneck. Here's how to measure the real numbers.

May 21, 20267 min read
Open Source Security

Malicious packages and malware campaigns: the new reality...

Malicious open source packages don't wait for a CVE. See how npm worms, xz utils, and typosquats evade legacy SCA — and what real detection requires.

May 21, 20267 min read
Application Security

First-Party Code vs Open Source Risk: Where Should AppSec...

First-party code and open source dependencies are one attack surface. See how Safeguard's unified scanning compares to Endor Labs' open-source-first approach.

May 19, 20269 min read
open-source-security (Page 5) — Safeguard Blog