software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
Best secrets detection tools for source code repositories
A practical, no-hype comparison of secrets detection tools for source code repos — evaluation criteria, five real vendors reviewed fairly, and how Safeguard fits in.
Best software supply chain attestation tools
A practical, no-hype comparison of software supply chain attestation tools — in-toto, Sigstore, GUAC, GitHub, JFrog, and Chainguard — plus how to pick the right fit.
Best open source software composition analysis (SCA) tools
A practical comparison of the best open source SCA tools — vulnerability coverage, license scanning, and CI/CD fit — with honest strengths and limitations for each.
NuGet typosquatting campaign report
Four disclosed NuGet typosquatting campaigns since 2024 reveal a shift toward patient, audience-specific attacks — from ICS time bombs to wallet-draining homoglyphs.
Best CVE tracking and monitoring tools
A field guide to CVE tracking tools -- from NVD and OSV.dev to Snyk, Tenable, and Qualys -- with honest pros, cons, and how Safeguard adds supply-chain context.
Best software supply chain security platforms
A practical buyer's guide comparing top software supply chain security platforms—SBOM, dependency scanning, and CI/CD attestation—so you can pick the right fit.
Homebrew Formula Security for Engineering Teams
Every brew install runs Ruby you didn't read on a laptop that holds your SSH keys and cloud credentials. How formulae, taps, casks and bottles actually differ in risk.
Best SBOM validation and diffing tools
A practical buyer's guide to SBOM validation tools -- covering schema checks, quality scoring, and diffing -- with an honest look at six real tools and their tradeoffs.
Best reproducible build tools
A practical buyer's guide to reproducible build tools -- evaluation criteria, six real tools compared honestly, and how continuous verification closes the gap.
Malicious VS Code extensions report
150+ malicious VS Code extensions have been pulled from marketplaces since 2024. Here's how the attacks work — and how to defend against them.
Terraform Registry module vulnerability trends
Registry-wide analysis shows a rising share of Terraform modules carry stale provider pins and insecure defaults — here's what's driving it and how to respond.
Homebrew formula security incidents
A timeline of Homebrew formula security incidents — from the 2018 Jenkins token leak to 2026's Trivy tap compromise — and what Homebrew's Tap Trust fix means for security teams.