Safeguard
Tag

software-supply-chain

Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.

526 articles

SBOM

How Snyk Container generates a Software Bill of Materials...

How Snyk Container statically scans image layers, parses OS package databases and lockfiles, and exports CycloneDX/SPDX SBOMs — mechanically explained.

Sep 5, 20257 min read
Container Security

How Snyk Broker's Container Registry Agent scans private,...

How Snyk's Broker Container Registry Agent scans private, self-hosted registries like Artifactory and Nexus without exposing credentials or images to the cloud.

Sep 5, 20257 min read
Container Security

How Snyk's Docker Desktop Extension scans images before t...

How Snyk's Docker Desktop extension scans local images for CVEs before push, what it can and can't detect, and where it fits with CI and registry scanning.

Sep 4, 20257 min read
Open Source Security

How Snyk Open Source analyzes Cargo.lock for Rust depende...

How Snyk Open Source parses Cargo.lock, matches resolved crate versions against RustSec advisories, and handles Rust workspaces -- a mechanical breakdown of its documented approach.

Aug 29, 20257 min read
Vulnerability Analysis

How the Snyk Vulnerability Database sources and verifies ...

A look at how Snyk's Vulnerability Database sources, verifies, and scores new disclosures, from GHSA feeds and silent fixes to CVSS overrides and embargo timing.

Aug 28, 20257 min read
Open Source Security

How Snyk decides whether an automatic PR proposes a minor...

A mechanical walkthrough of the semver logic behind Snyk's automatic fix PRs — how it picks target versions and decides between patch, minor, and major bumps.

Aug 28, 20257 min read
Open Source Security

How Snyk patches remediate vulnerabilities that have no a...

How Snyk's patch feature applies targeted code-level diffs to fix vulnerabilities directly in dependencies when no clean upgrade path exists.

Aug 27, 20257 min read
Concepts

What Is a Transitive Dependency?

A transitive dependency is code you never chose but still ship, pulled in by the libraries you did choose. Here is why indirect dependencies dominate your attack surface.

Aug 26, 20255 min read
Open Source Security

How the Snyk Risk Score's 0-1000 scale is derived from CV...

How Snyk's 0-1000 Risk Score starts from the CVSS impact subscore formula, then layers in exploit maturity, social trends, and reachability data.

Aug 26, 20257 min read
Open Source Security

How Snyk Advisor's package health score weighs popularity...

Snyk Advisor scores packages 0-100 using four signals: popularity, maintenance, community, and security. Here is exactly how each one is calculated.

Aug 25, 20257 min read
Open Source Security

How Snyk detects malicious and typosquatted open-source p...

How Snyk's research team detects malicious and typosquatted open-source packages — from name-similarity heuristics to install-script analysis and source-code provenance checks.

Aug 25, 20256 min read
Open Source Security

How Snyk identifies dependency confusion attacks in priva...

A technical look at how Snyk detects dependency confusion attacks — from vulnerability database malicious-package flags to registry scoping and Advisor scoring.

Aug 25, 20257 min read
software-supply-chain (Page 36) — Safeguard Blog