software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
Best GitHub Actions security scanning tools
A practical, no-hype comparison of GitHub Actions security tools — Zizmor, StepSecurity, Scorecard, Checkov, GitGuardian, and Legit Security — plus what to evaluate before you buy.
LLM System Prompt Leakage
System prompts often hide business logic and secrets. Here's how attackers extract them, real 2023-2024 incidents, and how to stop leaks before they reach production.
Best vulnerability management platforms
A practical comparison of leading vulnerability management platforms — Tenable, Qualys, Rapid7, CrowdStrike, Wiz, and Microsoft — plus how Safeguard closes the supply-chain gap.
LLM Supply Chain Vulnerabilities
Malicious model files, poisoned datasets, and compromised ML packages are the new software supply chain frontier. Here is how these LLM attacks actually work.
NuGet dependency confusion risk report
NuGet's default feed-resolution behavior keeps dependency confusion risk elevated across .NET orgs. Here's what the incident history shows, and how to close the gap.
Best open source license compliance tools
A practical comparison of open source license compliance tools—FOSSA, Mend, Black Duck, Snyk, and more—covering detection accuracy, policy engines, and SBOM support.
Best artifact and code signing tools
A practical, no-hype comparison of Sigstore, Notation, GitHub Attestations, DigiCert, Vault, and AWS Signer for teams choosing artifact signing tools.
Sensitive Information Disclosure in LLM Applications
From Samsung's ChatGPT leak to RAG pipelines with no access controls, sensitive information disclosure is now a top LLM security risk. Here's how it happens and how to stop it.
Malicious Composer packages on Packagist
Three malicious Composer package campaigns hit Packagist in under a year -- each sitting undetected for months. Here's what happened and how to catch the next one faster.
Overreliance on LLM Outputs: A Security Perspective
LLMs hallucinate packages, vulnerability verdicts, and compliance summaries with total confidence. Here's where overreliance on AI outputs creates real security risk—and how to close the gap.
Best open source project risk scoring tools
A practical buyer's guide comparing open source project risk scoring tools like OpenSSF Scorecard, Snyk, and Sonatype on signal quality and coverage.
Best VEX (Vulnerability Exploitability eXchange) tools
A practical buyer's guide to VEX tools: what to evaluate, and an honest look at Dependency-Track, GUAC, OpenVEX, Grype, Trivy, and Interlynk.