software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
CI/CD pipeline dependency security integration coverage
How does Safeguard's pipeline-native dependency security compare to Socket.dev's PR-comment model? A concrete look at coverage, enforcement, and deployment options.
Cheat sheet: meeting security compliance standards
A concrete, numbers-first cheat sheet for SOC 2, ISO 27001, PCI DSS 4.0, and SBOM mandates — deadlines, timelines, and audit gaps that actually matter.
Socket.dev vs Snyk: SCA feature comparison
Socket.dev flags risky OSS packages; Snyk scans for known CVEs. See how Safeguard unifies both approaches into one supply chain security workflow.
EU Cyber Resilience Act: what developers need to know
The EU Cyber Resilience Act sets hard deadlines starting Sept 2026 for SBOMs, vulnerability reporting, and patching. Here's what developers must build.
Malicious postinstall scripts in npm packages
From eslint-scope in 2018 to the 2025 Shai-Hulud worm, npm postinstall scripts keep delivering malware before any scan or review runs. Here's how it works and what stops it.
Malicious NuGet package campaigns targeting developers
Socket.dev has tracked malicious NuGet packages stealing wallets, banking credentials, and sabotaging industrial systems. See how Safeguard catches them first.
5 risks of using open source software
Five documented open source risks — from Log4Shell to the XZ Utils backdoor — with real incidents, dates, and CVEs, plus how Safeguard closes the gap.
GPL vs MIT vs Apache: license security and compliance implications
Redis, Vizio, and Cisco show how GPL, MIT, and Apache 2.0 licenses create real legal and compliance exposure across your software supply chain.
Prompt injection attacks against AI coding/security tools
AI coding assistants like Copilot and Cursor can be hijacked by hidden text in files, comments, and packages. Here's how prompt injection malware works and how Safeguard detects it.
SPDX vs CycloneDX: comparing SBOM formats
SPDX and CycloneDX both satisfy federal SBOM rules, but they solve different problems. Here's how they actually differ — with real specs, dates, and tooling.
FDA SBOM requirements for medical device software
Since Oct 2023 the FDA can reject medical device submissions missing a compliant SBOM. Here's what Section 524B actually requires, in plain terms.
Software supply chain compliance for federal contractors
CMMC 2.0, OMB M-22-18, and SBOM mandates now hit federal contractors with overlapping deadlines and evidence demands — here's what's actually required.