software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
How Snyk Container generates a Software Bill of Materials...
How Snyk Container statically scans image layers, parses OS package databases and lockfiles, and exports CycloneDX/SPDX SBOMs — mechanically explained.
How Snyk Broker's Container Registry Agent scans private,...
How Snyk's Broker Container Registry Agent scans private, self-hosted registries like Artifactory and Nexus without exposing credentials or images to the cloud.
How Snyk's Docker Desktop Extension scans images before t...
How Snyk's Docker Desktop extension scans local images for CVEs before push, what it can and can't detect, and where it fits with CI and registry scanning.
How Snyk Open Source analyzes Cargo.lock for Rust depende...
How Snyk Open Source parses Cargo.lock, matches resolved crate versions against RustSec advisories, and handles Rust workspaces -- a mechanical breakdown of its documented approach.
How the Snyk Vulnerability Database sources and verifies ...
A look at how Snyk's Vulnerability Database sources, verifies, and scores new disclosures, from GHSA feeds and silent fixes to CVSS overrides and embargo timing.
How Snyk decides whether an automatic PR proposes a minor...
A mechanical walkthrough of the semver logic behind Snyk's automatic fix PRs — how it picks target versions and decides between patch, minor, and major bumps.
How Snyk patches remediate vulnerabilities that have no a...
How Snyk's patch feature applies targeted code-level diffs to fix vulnerabilities directly in dependencies when no clean upgrade path exists.
What Is a Transitive Dependency?
A transitive dependency is code you never chose but still ship, pulled in by the libraries you did choose. Here is why indirect dependencies dominate your attack surface.
How the Snyk Risk Score's 0-1000 scale is derived from CV...
How Snyk's 0-1000 Risk Score starts from the CVSS impact subscore formula, then layers in exploit maturity, social trends, and reachability data.
How Snyk Advisor's package health score weighs popularity...
Snyk Advisor scores packages 0-100 using four signals: popularity, maintenance, community, and security. Here is exactly how each one is calculated.
How Snyk detects malicious and typosquatted open-source p...
How Snyk's research team detects malicious and typosquatted open-source packages — from name-similarity heuristics to install-script analysis and source-code provenance checks.
How Snyk identifies dependency confusion attacks in priva...
A technical look at how Snyk detects dependency confusion attacks — from vulnerability database malicious-package flags to registry scoping and Advisor scoring.