supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Securing the Argo CD to Kubernetes GitOps Pipeline
One symlinked Helm values file (CVE-2022-24348, CVSS 7.7) let attackers read secrets across Argo CD tenants — GitOps trust needs hardening, not just adoption.
Argument injection in Git and Mercurial CLI wrappers
A branch name like --upload-pack=/bin/sh isn't a string to Git — it's a flag. CVE-2017-1000117 and CVE-2017-1000116 show why that distinction matters.
Building minimal, non-root Java containers with distroless and JVM hardening
A typical java:17 image ships a full OS and root shell; distroless plus JVM container-awareness flags cut that attack surface to almost nothing.
SBOM Compliance Requirements FAQ: NTIA Elements, Formats, and Mandates
A precise FAQ on SBOM compliance in 2026 — the NTIA minimum elements, accepted formats, where SBOMs are actually mandated (federal, FDA, EU CRA), depth, VEX, and generation.
Browser extensions are the softest target in your stack
A patched Grammarly bug let any website steal a user's documents; a 2025 flaw in Anthropic's Claude extension enabled silent prompt injection. Extensions keep failing the same three ways.
Designing Secure Fastify Plugin Boundaries
Fastify's encapsulation model isolates plugin state by default — but one `fastify-plugin` wrapper or a stray `skip-override` symbol can silently punch a hole through every boundary you had.
When Node.js sandboxing stops at the C++ boundary
Node's permission model can block a native addon from loading at all — but once it's in, a single buffer overflow in C++ can corrupt the whole process.
Building a minimal, multi-stage, non-root Dockerfile for PHP
The official php:fpm image still runs its master process as root — a documented, still-open issue. Here's how to build a PHP Dockerfile that doesn't.
The blind spots of single-model AI security tooling
OpenAI's API went down three separate times in 2024 alone — if your SAST pipeline hard-depends on one model provider, its outages and blind spots become yours.
Security Practices for GitHub Copilot and AI Coding Assistants
Copilot suggested 2,702 hardcoded secrets from just 900 prompts in one study, and at least 200 were live credentials — adoption without policy is a leak waiting to happen.
CI/CD Supply Chain Attacks Explained: Anatomy and Defense
From SolarWinds to tj-actions, CI/CD pipelines are where one foothold reaches thousands of victims. This guide explains the anatomy of a pipeline supply chain attack and the layered defenses that stop it.
How to Remediate Transitive Dependency Vulnerabilities
Fix vulnerabilities in the nested packages you never installed directly — trace the import chain, choose between upgrading the parent or overriding the child, and verify the fix without breaking builds.