software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
Malicious dependency attacks in the software supply chain
Dependency confusion attacks let attackers hijack builds by publishing malicious packages with higher version numbers to public registries. Here's how they work and how to stop them.
What is Typosquatting
Typosquatting tricks developers into installing malicious lookalike packages. Learn how it works, real npm/PyPI attacks, and how to detect it.
What Are Malicious Packages
Malicious npm packages steal credentials, mine crypto, or wipe files. Learn how attackers plant them and how to detect and stop them fast.
Managing risk in the software supply chain
Chainguard hardens base images, but that's one slice of supply chain risk. Here's what SolarWinds, Log4Shell, and XZ Utils reveal about the gaps — and how to close them.
Open Source License Compliance
Redis, Elasticsearch, and Terraform all changed licenses in the last three years. Here's how license compliance actually breaks, and how to catch it before you ship.
Software supply chain security: threat vectors & solutions
Real incidents, real numbers: how modern software supply chain threat vectors work, why SBOMs alone don't stop them, and what actually closes the gap.
Copyleft vs Permissive Licenses
Copyleft and permissive licenses trigger different legal obligations. Here's how GPL, AGPL, MIT, and Apache 2.0 actually differ — with real lawsuits and relicensing cases.
Streamlining the vulnerability management lifecycle
Most teams find CVEs fast but fix them slowly. Here's why the vulnerability management lifecycle breaks down after scanning — and how to close the gap.
Attack surface reduction: practical strategies to minimiz...
Base images are one layer. Real attack surface reduction covers dependencies, build pipelines, and provenance too — here's what Chainguard's approach misses.
Sigstore, Cosign, and keyless container image signing
How Sigstore's Fulcio and Rekor make Cosign keyless container image signing possible, why Chainguard built its product around it, and where the real gaps still are.
Anchore vs. Snyk / Wiz / Sysdig / Aqua / Chainguard posit...
Evaluating Anchore alternatives? See how Safeguard, Snyk, Wiz, Sysdig, Aqua, and Chainguard actually differ on SBOM, runtime, and compliance.
What is a Man-in-the-Middle Attack
A man-in-the-middle attack lets adversaries intercept trusted connections -- from Wi-Fi logins to CI/CD package fetches -- with real-world cases and defenses.