open-source
Safeguard articles tagged "open-source" — guides, analysis, and best practices for software supply chain and application security.
138 articles
Trivy vs Grype: Container Scanning Head-to-Head
Compare Trivy and Grype on vulnerability database sources, scan speed, OS coverage, SBOM integration, and CI ergonomics to pick the right open source container scanner.
curl CVE-2023-38545: The Worst curl Vulnerability in Years
A heap buffer overflow in curl's SOCKS5 proxy handshake earned a severity rating of HIGH from curl's creator Daniel Stenberg, who called it the worst curl flaw in a long time.
Open Source vs Commercial SCA Tools: An Honest Comparison
Free SCA tools have gotten remarkably good. Commercial tools still offer advantages. Here is when each makes sense for your organization.
OpenSSF Scorecard v5: Raising the Bar for Open Source Security
The latest release of OpenSSF Scorecard introduces new checks and improved accuracy, helping organizations make data-driven decisions about open source dependency risk.
Dependabot Security Updates: Behavior Deep Dive
A hands-on look at how Dependabot security updates behave in 2023 - PR grouping, semver strategy, transitive coverage, and alternatives when it misses a fix.
Secure Package Publishing Checklist for Open Source Maintainers
Publishing a package to a public registry makes your code part of thousands of supply chains. This checklist covers the security controls that responsible maintainers implement before and during publication.
Changelog and Security Disclosure Best Practices
How you communicate security changes in your changelog affects both your users' safety and your project's trustworthiness. Here is how to get it right.
OSV Schema: The Open Source Vulnerability Database Format Explained
OSV provides a standardized format for vulnerability data that is purpose-built for open-source ecosystems. Here is how it works and why it is better than NVD for dependency scanning.
npm Tightens Unpublish Rules: What It Means for Supply Chain Security
npm's updated unpublish policy addresses the left-pad problem while balancing maintainer rights, but the supply chain implications go deeper than most realize.
Open Source Vulnerability Rewards: Can Bug Bounties Save Open Source?
Google expanded its OSS vulnerability rewards program in 2023, paying researchers to find bugs in critical open source projects. It's a promising model, but not a silver bullet.
Anchore Syft: The Go-To Open Source SBOM Generator
A thorough review of Anchore's Syft SBOM generation tool, covering supported formats, language ecosystems, container scanning, and integration patterns.
EU Cyber Resilience Act: Impact on Software Developers and Open Source
The EU's Cyber Resilience Act will impose mandatory cybersecurity requirements on all software sold in Europe. Here's what developers need to know.