open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
Transitive dependency vulnerabilities explained
A vulnerability three layers deep in your dependency graph is still your problem. Here's how transitive flaws like Log4Shell hide, spread, and get fixed.
Securing mobile app dependencies: CocoaPods and Gradle
CocoaPods and Gradle power millions of mobile apps. See how orphaned pods, build-script RCE, and dependency confusion put them at real risk today.
Best Open Source SCA Tools in 2026 (Tested on a Real Monorepo)
OSV-Scanner, Trivy, Grype, Dependency-Check, and dep-scan, all run against the same 4,300-dependency monorepo. Recall, false positives, and scan times measured.
The State of Open Source Security report (annual series)
Safeguard's annual State of Open Source Security Report finds transitive dependencies now drive most exposure, and reachability — not CVSS alone — separates mature security programs.
Software supply chain attacks: how they work and recent e...
Software supply chain attacks like SolarWinds, xz-utils, and polyfill.io bypass vulnerability scanners entirely. Here's how they work and where provenance verification fills the gap.
NPM package vulnerabilities: risks and detection
NPM's open, high-velocity ecosystem makes it a top target for supply chain attacks. Here's how vulnerabilities slip past scanners like Trivy undetected.
5 risks of open source software in 2026
Open source now makes up most enterprise code. Here are 5 risks defining open source software security in 2026 — and how to close the exploitability gap.
162 vulnerabilities disclosed in Java's top 10 libraries
Safeguard's H1 2026 analysis found 162 CVEs across Java's ten most-downloaded libraries, with critical RCE risk concentrated in Tomcat and Spring.
Open source package health scoring explained
Health scores from OSSF Scorecard, Snyk, and npms.io compress package risk into one number -- but xz-utils proves a high score isn't the same as safe.
What to check before installing an open source package
A practical guide to vetting open source packages before you install them — real incidents, concrete checks, and how reachability analysis cuts through CVE noise.
npm audit vs Snyk: comparing vulnerability scanners
npm audit is free and built-in; Snyk adds reachability analysis and auto-fix PRs. Here's how they really compare on data, false positives, and supply chain attacks.
Software Composition Analysis (SCA)
SCA finds every open source package in your code and flags known CVEs against it. Here's how it works, its blind spots, and how to fix them.