open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
PyPI Malware News: What's Happening and How to Detect It
PyPI malware news keeps repeating the same pattern — typosquats, compromised maintainer accounts, and post-install scripts that exfiltrate credentials — here's how to actually catch it.
npm's shift from implicit to explicit trust: what changed...
npm quietly rebuilt its trust model in 2025 after the chalk/debug hijack and the Shai-Hulud worm. Here's what changed, why JFrog's curation model isn't enough, and how Safeguard closes the gap.
10 npm security best practices
Real npm supply-chain incidents from event-stream to the 2025 chalk/debug hack, and 10 concrete practices to stop install-time attacks, typosquatting, and token theft.
Software Composition Analysis (SCA) explained: how it fin...
SCA scans your dependency tree against CVE databases to catch vulnerable open-source packages like Log4Shell before they reach production.
Best Software Composition Analysis tools/services ranked ...
We compare Safeguard and Mend.io on verifiable SCA dimensions — company history, Renovate, SBOM depth, and build provenance — for buyers evaluating tools in 2026.
Open source license management tools: features and best p...
A practical comparison of open source license management tools, contrasting Safeguard and Mend.io on detection, policy enforcement, and SBOM depth.
Reachability analysis for prioritizing vulnerable depende...
Most flagged CVEs in your dependency tree are never executed. Here's how reachability analysis application security separates exploitable risk from noise—and how Safeguard compares to Mend.io.
Contextual project classification for SCA accuracy
Flat SCA scanning treats every dependency the same, burying real risk under test-path noise. Here's how contextual project classification fixes accuracy — and where Mend.io falls short.
Automated dependency updates and patch management
How automated dependency updates actually close the patch gap—where Mend.io's approach falls short, and what reachability, provenance, and policy-as-code add.
ROI of automated dependency management (Renovate Enterprise)
Automated dependency updates promise real ROI, but Renovate Enterprise's PR-scheduling model often stalls at the review bottleneck. Here's how to measure the real numbers.
Malicious packages and malware campaigns: the new reality...
Malicious open source packages don't wait for a CVE. See how npm worms, xz utils, and typosquats evade legacy SCA — and what real detection requires.
First-Party Code vs Open Source Risk: Where Should AppSec...
First-party code and open source dependencies are one attack surface. See how Safeguard's unified scanning compares to Endor Labs' open-source-first approach.