open-source
Safeguard articles tagged "open-source" — guides, analysis, and best practices for software supply chain and application security.
138 articles
Open Source Security Summit 2026: Key Takeaways
We attended the Open Source Security Summit 2026 and came back with five actionable insights for security teams.
OSS Container Security: What Changes With Open-Source Base Images
Open-source base images change your patch cadence, your license exposure, and your provenance story — here's what OSS container security actually adds on top of standard image hardening.
Abandoned Dependency Risk Study
The Safeguard Research team measured how much abandonment exists in real dependency graphs, how it correlates with risk, and what to do about it.
DEF CON 33 Software Supply Chain Sessions Recap
DEF CON 33 brought hacker-energy attention to package ecosystems, CI/CD abuse, and AppSec Village. Here is what supply chain defenders should take home.
CVE-2025-15467 in OpenSSL CMS: Patch Posture & SBOM Response
OpenSSL CMS pre-auth stack buffer overflow scored CVSS 9.8. Mail servers, web servers, and anything that processes S/MIME need the fix. Defender playbook below.
Open Source Risk Management: Beyond Vulnerability Scanning
Vulnerability scanning catches known CVEs. But open source risk goes deeper — license compliance, maintainer health, dependency freshness, and supply chain attacks.
Best open source SBOM generation tools
A practical, no-hype comparison of open source SBOM generation tools — Syft, Trivy, cdxgen, Microsoft sbom-tool, SPDX Tools, and Tern — plus what to check before you pick one.
Automating Open Source License Compliance: From Manual Audits to Continuous Enforcement
Manual license audits cannot keep pace with modern dependency trees. Automated license detection, policy enforcement, and compliance documentation turn a legal bottleneck into a developer workflow.
Semgrep Community Fall 2025: Native Windows and 3x Multicore
Semgrep's Fall 2025 Community Edition ships native Windows binaries, a memory-efficient multicore engine, and up to 3x scan speedups. We benchmarked it.
CRA Open Source Software Stewards: Article 24's Light-Touch Regime
The CRA's open-source software steward concept under Article 24 creates a distinct, lighter set of obligations for foundations and non-profits supporting commercial OSS.
OpenSSF Scorecard v5.1: Azure DevOps Support and File-Mode Selection
Scorecard v5.1 added experimental Azure DevOps repository support and a new --file-mode flag that materially changes how repository files are fetched.
OpenSSF Scorecard v6 Roadmap: OSPS Baseline Conformance
The Scorecard v6 proposal introduces PASS/FAIL/ATTESTED conformance against the OSPS Baseline, versioned probe mapping, and CI gating. Here is what consumers and maintainers need to know.