software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
8 tips for securing your CI/CD pipeline
Real incidents like tj-actions and xz-utils show how CI/CD pipelines get compromised. Eight concrete, actionable tips to lock yours down.
AI Security Code Review for Pull Requests
How AI code review security works in pull requests, where Endor Labs stops short, and what closes the gap between diff review and real supply chain risk.
Patch Transparency: Auditing Automated Fix Pull Requests
Automated fix PRs from Dependabot, Renovate, and Endor Labs move fast but are rarely auditable. Here's what a real patch transparency record needs.
Zero-Day Patch Response at Scale: Can Open Source Maintai...
Zero-day patch timelines swing from 3 hours to 10 weeks across open source projects. Here's why maintainer capacity, not tooling, is the real bottleneck.
SBOM and Compliance: Generating and Exporting Software Bi...
Regulators now require SBOMs from federal vendors, medical device makers, and soon every EU digital product. Here's how SBOM generation tools actually compare on accuracy, format, and export.
Open Source License Compliance: Automating License Risk R...
Manual license audits miss GPL contamination and copyleft traps. Here's how automated license risk reports work, and how Safeguard stacks up against Endor Labs.
Cyber Resilience Act (CRA) Compliance for Software Vendors
CRA reporting duties start Sept 2026; fines reach 2.5% of global turnover. What software vendors must do for SBOMs, vulnerability reporting, and audits.
ISO 42001 and AI Management Systems for Security Teams
ISO 42001 makes AI governance auditable and certifiable. Here's what security teams need to build an AIMS, where Endor Labs' AI code-risk scoring falls short, and how Safeguard closes the gap.
PCI DSS Requirements for Application Security Testing
PCI DSS 4.0's March 2025 deadline made SBOMs and 30-day patch SLAs mandatory. Here's what Requirements 6.3.2, 6.4.2, and 11.3 actually demand, and where Endor Labs leaves compliance gaps.
AI Coding Agent Governance: Securing Copilot, Cursor, and...
How to govern Copilot, Cursor, and Claude Code with provenance tracking and permission scoping — beyond after-the-fact SCA scanning of agent-written code.
Securing MCP Servers and Agent Skills in the Enterprise
MCP servers and agent skills give AI agents new power—and new attack surface. Here's how tool poisoning and rug-pull attacks work, and how to stop them.
SAST vs DAST vs SCA vs IAST
SAST, DAST, SCA, and IAST each test different risk. See how Safeguard's unified platform compares to Socket.dev's SCA-focused approach to supply chain security.