open-source
Safeguard articles tagged "open-source" — guides, analysis, and best practices for software supply chain and application security.
138 articles
.NET / NuGet Enterprise Supply Chain Program
An enterprise-grade .NET and NuGet supply chain program for 2026 — covering feeds, lockfiles, MSBuild targets, and runtime — backed by Safeguard.
Ruby / Bundler Supply Chain Program 2026
A 2026 supply chain program for Ruby and Bundler — covering RubyGems, Gemfile.lock, native extensions, and Rails — anchored by Safeguard policy gates.
PHP / Composer Supply Chain Defence 2026
A 2026 supply chain defence for PHP and Composer — covering Packagist, composer.lock, autoload manipulation, and Laravel — backed by Safeguard.
PyPI 2FA Lessons Two Years In
PyPI mandated 2FA for all maintainers in 2024. Two years in, account takeovers dropped — but attackers shifted to OIDC tokens, abandoned packages, and maintainer devices.
Swift And CocoaPods Supply Chain Program
A 2026 supply chain program for Swift apps — covering SPM, CocoaPods, XCFrameworks, and notarisation — anchored by Safeguard policy and SBOM evidence.
Fintech Software Supply Chain Realities in 2026
Fintechs ship fast and run on a thick layer of open source. Here is what the 2026 supply chain threat landscape looks like for a modern payments or lending platform, and the controls that actually scale.
npm Protestware Patterns From 2020 to 2026
A senior engineer's view of six years of npm protestware, from colors.js to peacenotwar, and the supply chain lessons that still apply to modern JavaScript shops.
How to Audit Open Source Licenses for Compliance
A senior engineer's playbook for auditing open source licenses across modern polyglot repos, from SPDX extraction to enforcement in CI and legal reporting.
Safeguard Open Source Manager: A Deep Dive Into Dependency Governance
An inside look at Safeguard's Open Source Manager — how it tracks, evaluates, and enforces policies across every open-source dependency in your portfolio.
The OSV Vulnerability Database API Cookbook
Practical patterns for using the OSV.dev API in production: batch queries, schema gotchas, version range parsing, and how to integrate OSV data into your own vulnerability pipelines.
XZ Utils Backdoor: One Year Retrospective
A year after the XZ Utils backdoor was caught by Andres Freund at Microsoft, what did we fix, what did we ignore, and what still gets packaged into Linux distros?
Polyglot Monorepo: Unified Supply Chain Program
A 2026 unified supply chain program for polyglot monorepos — bringing Node, Python, Go, Java, and more under one set of policies — anchored by Safeguard.