software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
What CISA's Secure by Design Pledge Actually Requires
CISA's Secure by Design pledge asks 68+ vendors for measurable one-year progress on 7 goals. Here's what those goals mean for engineering teams.
Secure AI-Assisted Development: A Best-Practices Guide
Samsung banned ChatGPT company-wide in May 2023 after engineers pasted proprietary source code into it three times in 20 days. Here's how to adopt AI coding assistants without repeating that mistake.
The State of Open Source Security: What a Year of Disclosure Data Shows
454,600+ new malicious packages hit open-source registries in 2025, and NVD still closed the year with a 27,000-CVE enrichment backlog.
JFrog Xray Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the top JFrog Xray alternatives in 2026 — Snyk, Sonatype, Mend, Trivy, Anchore, and Safeguard — with candid pros, cons, and a way to choose.
Managing Open Source Component Risk at Scale
A modern app's dozen direct dependencies can resolve into thousands of transitive packages — and CVE-2024-3094 proved a single unmaintained one is enough to backdoor SSH itself.
How to Secure Your Open Source Dependencies
Most of your code is code you didn't write. This beginner guide covers the practical habits that keep your open-source dependencies safe, from lockfiles to scanning.
Sonatype Nexus Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the leading Sonatype Nexus alternatives in 2026 — JFrog, Snyk, Mend, Black Duck, Cloudsmith, and Safeguard — with candid pros, cons, and a framework for choosing.
Black Duck Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the leading Black Duck alternatives in 2026 — Snyk, Mend, Sonatype, FOSSA, Trivy, and Safeguard — with candid pros, cons, and a framework for choosing.
SHA1-Hulud second-wave npm supply chain incident
Shai-Hulud's November 2025 second wave hit npm via a Bun-based worm, stealing cloud creds and re-publishing trojanized packages at scale.
How to Read an SBOM
An SBOM is a list of everything inside your software. This beginner guide shows you how to open one, understand each field, and turn it into something useful.
SBOMs in the CI/CD Pipeline: From Generation to Actually Useful
Generating an SBOM is easy. Making it answer 'are we affected by this CVE, and where?' in seconds is the part most teams skip. Here is how to build SBOMs into your pipeline so they earn their keep.
GitHub Advisory Database: 30,000+ curated advisories beyo...
GitHub's Advisory Database curates 30,000+ entries beyond raw CVE data. Here's what it actually covers, where GHAS inherits its limits, and where correlation across sources closes the gaps.