Safeguard
Tag

software-supply-chain

Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.

526 articles

Best Practices

What CISA's Secure by Design Pledge Actually Requires

CISA's Secure by Design pledge asks 68+ vendors for measurable one-year progress on 7 goals. Here's what those goals mean for engineering teams.

Jul 10, 20266 min read
AI Security

Secure AI-Assisted Development: A Best-Practices Guide

Samsung banned ChatGPT company-wide in May 2023 after engineers pasted proprietary source code into it three times in 20 days. Here's how to adopt AI coding assistants without repeating that mistake.

Jul 8, 20266 min read
Industry Analysis

The State of Open Source Security: What a Year of Disclosure Data Shows

454,600+ new malicious packages hit open-source registries in 2025, and NVD still closed the year with a 27,000-CVE enrichment backlog.

Jul 8, 20266 min read
Buyer's Guides

JFrog Xray Alternatives in 2026: An Honest Buyer's Guide

A balanced comparison of the top JFrog Xray alternatives in 2026 — Snyk, Sonatype, Mend, Trivy, Anchore, and Safeguard — with candid pros, cons, and a way to choose.

Jul 7, 20266 min read
Open Source Security

Managing Open Source Component Risk at Scale

A modern app's dozen direct dependencies can resolve into thousands of transitive packages — and CVE-2024-3094 proved a single unmaintained one is enough to backdoor SSH itself.

Jul 7, 20268 min read
Tutorials

How to Secure Your Open Source Dependencies

Most of your code is code you didn't write. This beginner guide covers the practical habits that keep your open-source dependencies safe, from lockfiles to scanning.

Jul 6, 20266 min read
Buyer's Guides

Sonatype Nexus Alternatives in 2026: An Honest Buyer's Guide

A balanced comparison of the leading Sonatype Nexus alternatives in 2026 — JFrog, Snyk, Mend, Black Duck, Cloudsmith, and Safeguard — with candid pros, cons, and a framework for choosing.

Jul 6, 20266 min read
Buyer's Guides

Black Duck Alternatives in 2026: An Honest Buyer's Guide

A balanced comparison of the leading Black Duck alternatives in 2026 — Snyk, Mend, Sonatype, FOSSA, Trivy, and Safeguard — with candid pros, cons, and a framework for choosing.

Jul 4, 20266 min read
Software Supply Chain Security

SHA1-Hulud second-wave npm supply chain incident

Shai-Hulud's November 2025 second wave hit npm via a Bun-based worm, stealing cloud creds and re-publishing trojanized packages at scale.

Jul 4, 20267 min read
Tutorials

How to Read an SBOM

An SBOM is a list of everything inside your software. This beginner guide shows you how to open one, understand each field, and turn it into something useful.

Jul 3, 20266 min read
DevSecOps

SBOMs in the CI/CD Pipeline: From Generation to Actually Useful

Generating an SBOM is easy. Making it answer 'are we affected by this CVE, and where?' in seconds is the part most teams skip. Here is how to build SBOMs into your pipeline so they earn their keep.

Jul 3, 20266 min read
Vulnerability Analysis

GitHub Advisory Database: 30,000+ curated advisories beyo...

GitHub's Advisory Database curates 30,000+ entries beyond raw CVE data. Here's what it actually covers, where GHAS inherits its limits, and where correlation across sources closes the gaps.

Jul 3, 20267 min read
software-supply-chain — Safeguard Blog