python
Safeguard articles tagged "python" — guides, analysis, and best practices for software supply chain and application security.
76 articles
SLSA Build Provenance for Python Publish
Python packages on PyPI can carry SLSA provenance via PEP 740. Here is the publish workflow, the verification story, and the parts that still do not quite fit together.
Python Package Typosquatting in 2024: Scale, Tactics, and Defenses
Typosquatting on PyPI reached industrial scale in 2024, with attackers using automated tooling to register thousands of malicious package names targeting common misspellings of popular libraries.
Pydantic v2 Security Implications
Pydantic v2 rewrote the core in Rust and changed validation semantics. Here is what that means for security-sensitive code, from input coercion to ReDoS exposure.
FastAPI Supply Chain Security: A Working Guide
FastAPI's dependency surface is deceptively large. Here is how to lock it down in practice, covering Starlette, Pydantic, Uvicorn, and the plugins you likely missed.
FastAPI Security Best Practices
Securing FastAPI applications with Pydantic validation, OAuth2 integration, and dependency injection patterns.
Pants Build Tool Security Posture
A practitioner's view of the Pants build system's security properties, covering sandboxing, third-party resolution, and the Pants 2.x architecture.
Managing Python Package Namespace Conflicts
Python's flat namespace creates real security problems. Here is how namespace packages, shadowing, and install order interact, and how to avoid the surprises.
How to Audit Python Dependencies with pip-audit (and What It Misses)
pip-audit checks your Python dependencies against the PyPA advisory database in one command. Here is how to run it well in CI, and the four gaps it leaves open.
PyPI Supply Chain Attacks: Q1 2024 Roundup
Q1 2024 brought typosquats, stealer campaigns, and a week-long new-user freeze on PyPI. Here is what the attacks looked like and how to defend.
Django Security Best Practices, 2024 Edition
From SECRET_KEY hygiene to middleware ordering, the Django security checklist worth actually following in 2024, grounded in real CVEs and production incidents.
Poetry and Python Supply Chain Security
Poetry's lockfile is an asset. Its dependency resolver is a tradeoff. Here is how to run Poetry safely in a world of typosquats, dependency confusion, and unmaintained installers.
How to Verify a PyPI Package Before Install
A practical pre-install verification workflow for PyPI packages covering sigstore attestations, maintainer checks, and sdist auditing.