Safeguard
Tag

registry-policy

Safeguard articles tagged "registry-policy" — guides, analysis, and best practices for software supply chain and application security.

14 articles

Supply Chain

RubyGems and Bundler's Cooldown Discussion: Soak Windows as a First-Class Defender Policy

After the 2025 supply-chain waves, the ruby/rubygems community opened Discussion #9113 to evaluate a built-in cooldown feature for bundle update. Here is the defender argument and how to implement it today.

May 15, 20267 min read
Open Source Security

Maven Central's January 2025 Sigstore Validation Launch: Bringing Java Provenance to the Central Publisher Portal

Sonatype's Central Publisher Portal began validating Sigstore signature bundles in January 2025 alongside the existing PGP requirement. Here is the defender view of how the Java ecosystem's provenance story is finally catching up.

May 15, 20267 min read
Supply Chain

A Defender's Template for Package Registry Incident Communications, Built from the 2025-2026 Response Postmortems

The npm Shai-Hulud, PyPI credential-leak, and tj-actions response postmortems published through 2025-2026 reveal a common communication shape. Here is the template, the timing, and the policy that turns the template into a fast response.

May 14, 20267 min read
Supply Chain

NuGet's September 2025 Trusted Publishing Launch and the 2026 Signing Roadmap

NuGet became the fifth major registry to ship Trusted Publishing in September 2025, with .NET package signing and ID prefix reservation forming a complete trust-signal stack for the ecosystem.

May 12, 20266 min read
Open Source Security

OpenSSF Scorecard v6 and the OSPS Baseline: Turning Probe Evidence Into Registry Trust Signals

The Scorecard v6 roadmap introduces conformance labels (PASS/FAIL/UNKNOWN/NOT_APPLICABLE/ATTESTED) layered over the same probe evidence, aligning Scorecard output with the OSPS Baseline for registry-side trust decisions.

May 4, 20267 min read
Supply Chain

Private Registry Hardening in 2026: How Nexus Firewall and JFrog Curation Closed the Mirror-Pass-Through Gap

Through 2025-2026, Sonatype Nexus Firewall, JFrog Curation, and Harness Artifact Registry shipped policy features specifically aimed at the Shai-Hulud pass-through problem, where private mirrors silently replicated malicious upstream packages.

Apr 22, 20267 min read
Open Source Security

OpenSSF's Maintainer Handoff Governance: From Burnout-Driven Sabotage to Structured Repository Transfer

After colors.js, event-stream, and the colors-faker sabotage incidents, the OpenSSF Securing Software Repositories WG drafted guidance for when registries should allow ownership transfer of long-standing projects. Here is the defender view.

Apr 15, 20266 min read
Supply Chain

How npm's Takedown Response Time Compressed from Days to Hours During the 2025 Shai-Hulud Waves

AWS measured the September 8 chalk/debug compromise being removed within 2.5 hours and Shai-Hulud 2.0 in November within 12 hours. Here is how the registry-side response workflow operates and how to consume the signal.

Apr 2, 20267 min read
Supply Chain

GitHub Actions Immutable Actions GA: Why OCI-Backed Action Distribution Closes the tj-actions Class of Attack

GitHub's 2026 roadmap puts Immutable Actions GA at the center of Actions supply-chain hardening, publishing actions as OCI artifacts with hash-mismatch fail-fast and full composite-action visibility.

Mar 25, 20266 min read
Open Source Security

crates.io's Security Team in 2026: Response Workflow, Notification Policy Change, and the Alpha-Omega Investment

After the September 2025 phishing wave and the December evm-units removal, the crates.io team announced a notification policy update in February 2026 and the Rust Foundation deployed crate-scanning infrastructure funded by Alpha-Omega.

Mar 12, 20267 min read
Supply Chain

Trusted Publishing Across Every Major Registry: The 2026 State of OIDC-Backed Publishing

By end of 2025, Trusted Publishing landed on PyPI, RubyGems, npm, crates.io, and NuGet. PyPI alone crossed one million Trusted-Publisher uploads. Here is the defender view of the cross-ecosystem rollout.

Mar 3, 20266 min read
Open Source Security

Hugging Face's Guardian-Plus-Picklescan Stack: How the Model Hub Scanning Posture Evolved Through 2025-2026

Following NullifAI and the broken-pickle bypass campaigns, Hugging Face layered Protect AI's Guardian on top of Picklescan, ClamAV, and secrets scanning across 1.5 million public models. Here is the defender view of the new pipeline.

Feb 18, 20267 min read
registry-policy — Safeguard Blog