software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
Dependency Cooldown Periods as a Malware Defense
Malicious npm packages are often caught within days. Cooldown periods exploit that lag — here's how they work, and how Endor Labs and Safeguard compare.
Upgrade Impact Analysis: Predicting Breaking Changes Befo...
Why 70% of security patches sit unapplied for months, and how diffing a package upgrade against your call graph predicts breaking changes before you run npm update.
TanStack's Build Pipeline Got Hijacked and Still Signed Valid SLSA Provenance (May 2026)
On May 11, 2026, attackers chained a pull_request_target abuse, cache poisoning, and OIDC token theft to publish 84 malicious @tanstack npm versions from TanStack's own trusted pipeline. It is the first npm compromise to carry valid SLSA provenance.
Shifting security left: what it really means for teams
Shift left security means catching vulnerabilities at commit time, not audit time. Here's what that requires in practice, with real CVEs and numbers.
npm audit isn't enough: what it misses
npm audit catches known CVEs and stops there. It misses malicious packages, install scripts, and typosquats -- the threats actually landing in npm today.
SOC 2 compliance guide for engineering teams
SOC 2 audits fail on missing evidence, not bad intentions. Here's what engineering teams must actually build, track, and prove — with real timelines and costs.
ISO 27001 compliance for software development teams
ISO/IEC 27001:2022 audits now check 8 SDLC controls directly — SBOMs, vulnerability SLAs, and CI/CD evidence dev teams commonly get flagged on.
HIPAA compliance in software development
HIPAA compliance in software development means encryption, access logging, and vulnerability management baked into the SDLC — not paperwork. Here's what engineers must build.
NIST Secure Software Development Framework (SSDF) explained
NIST SP 800-218's 42 practices now back federal attestation law. Here's what SSDF actually requires, who must comply, and how it differs from SLSA and SOC 2.
Socket.dev vs Dependabot: beyond automated dependency upd...
Dependabot patches known CVEs; Socket.dev flags risky package behavior. Neither enforces policy or ties risk to your actual build and runtime footprint — here's where Safeguard fits.
Executive Order 14028 and software supply chain security
EO 14028 forces federal software vendors to produce SBOMs and attest to NIST's SSDF. Here's what it requires, key deadlines, and how to prove compliance.
Socket.dev alternatives for enterprise supply chain security
Comparing Safeguard and Socket.dev on detection philosophy, ecosystem coverage, and supply chain breadth for enterprise security teams evaluating alternatives.