Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Open Source Security

Transitive dependency vulnerabilities explained

A vulnerability three layers deep in your dependency graph is still your problem. Here's how transitive flaws like Log4Shell hide, spread, and get fixed.

Apr 30, 20267 min read
Open Source Security

Securing mobile app dependencies: CocoaPods and Gradle

CocoaPods and Gradle power millions of mobile apps. See how orphaned pods, build-script RCE, and dependency confusion put them at real risk today.

Apr 29, 20267 min read
Tools

Best Open Source SCA Tools in 2026 (Tested on a Real Monorepo)

OSV-Scanner, Trivy, Grype, Dependency-Check, and dep-scan, all run against the same 4,300-dependency monorepo. Recall, false positives, and scan times measured.

Apr 26, 20267 min read
Open Source Security

The State of Open Source Security report (annual series)

Safeguard's annual State of Open Source Security Report finds transitive dependencies now drive most exposure, and reachability — not CVSS alone — separates mature security programs.

Apr 25, 20267 min read
Software Supply Chain Security

Software supply chain attacks: how they work and recent e...

Software supply chain attacks like SolarWinds, xz-utils, and polyfill.io bypass vulnerability scanners entirely. Here's how they work and where provenance verification fills the gap.

Apr 25, 20268 min read
Software Supply Chain Security

NPM package vulnerabilities: risks and detection

NPM's open, high-velocity ecosystem makes it a top target for supply chain attacks. Here's how vulnerabilities slip past scanners like Trivy undetected.

Apr 25, 20266 min read
Open Source Security

5 risks of open source software in 2026

Open source now makes up most enterprise code. Here are 5 risks defining open source software security in 2026 — and how to close the exploitability gap.

Apr 24, 20267 min read
Industry Analysis

162 vulnerabilities disclosed in Java's top 10 libraries

Safeguard's H1 2026 analysis found 162 CVEs across Java's ten most-downloaded libraries, with critical RCE risk concentrated in Tomcat and Spring.

Apr 24, 20267 min read
Open Source Security

Open source package health scoring explained

Health scores from OSSF Scorecard, Snyk, and npms.io compress package risk into one number -- but xz-utils proves a high score isn't the same as safe.

Apr 21, 20267 min read
Open Source Security

What to check before installing an open source package

A practical guide to vetting open source packages before you install them — real incidents, concrete checks, and how reachability analysis cuts through CVE noise.

Apr 20, 20267 min read
Open Source Security

npm audit vs Snyk: comparing vulnerability scanners

npm audit is free and built-in; Snyk adds reachability analysis and auto-fix PRs. Here's how they really compare on data, false positives, and supply chain attacks.

Apr 20, 20267 min read
Open Source Security

Software Composition Analysis (SCA)

SCA finds every open source package in your code and flags known CVEs against it. Here's how it works, its blind spots, and how to fix them.

Apr 15, 20266 min read
open-source-security (Page 7) — Safeguard Blog