Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Open Source Security

What is Open Source Security

Open source powers 70-90% of modern codebases. Learn what open source security means, its real risks, and how reachability analysis cuts through the noise.

Apr 1, 20266 min read
Open Source Security

Wolfi: the community Linux 'undistro'

Wolfi calls itself an "undistro," not a distro — and it's the open-source foundation under Chainguard Images. Here's what that actually means, and where the gaps are.

Mar 31, 20267 min read
Open Source Security

apko and melange: declarative container build tools

How Chainguard's apko and melange replace Dockerfiles with declarative, reproducible builds — and where the security claims need independent verification.

Mar 30, 20268 min read
Vulnerability Analysis

What is Social Engineering

Social engineering causes 68% of breaches per Verizon's 2024 DBIR. Learn how it works, common attack types, and how it threatens the software supply chain.

Mar 25, 20266 min read
Software Supply Chain Security

What is Sigstore

Sigstore lets projects sign software with short-lived, identity-bound certificates instead of long-lived keys. Here's how Fulcio, Rekor, and Cosign actually work.

Mar 6, 20267 min read
Open Source Security

Typosquatting packages

What is typosquatting? A precise breakdown of package typosquatting attacks, real npm and PyPI examples, and how lookalike malicious packages slip into builds.

Mar 3, 20266 min read
Software Supply Chain Security

SPDX

What is SPDX? A plain-English guide to the ISO-standard SBOM and license format that documents what's really inside your software.

Mar 3, 20267 min read
Industry Analysis

Ruby Security Explained

Ruby security in one place: the 2019 rest-client hijack, CVE-2022-32224's RCE, RubyGems' MFA mandate, and 2025's credential-stealing gem campaign.

Feb 23, 20267 min read
Industry Analysis

Go (Golang) Security Explained

Go's memory safety stops buffer overflows, not logic bugs, typosquatted modules, or CI-pipeline compromise. Here's what actually threatens Go security.

Feb 23, 20266 min read
Tools

Snyk vs Black Duck Comparison

Snyk and Black Duck take different paths to open source risk—developer-first scanning vs. compliance-grade component identification. Here's how they compare, and where reachability closes the gap.

Feb 21, 20267 min read
Tools

Open Source Static Code Analysis Tools

Open source static code analysis tools like Semgrep, CodeQL, and Bandit catch real bugs -- but miss supply-chain flaws like Log4Shell entirely.

Feb 20, 20268 min read
Open Source Security

How to set up software composition analysis (SCA)

A practical, step-by-step guide to setting up software composition analysis: choosing a tool, setting policy, and integrating scans into CI/CD.

Feb 15, 20267 min read
open-source-security (Page 9) — Safeguard Blog