Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

Kubernetes Security

Securing the Argo CD to Kubernetes GitOps Pipeline

One symlinked Helm values file (CVE-2022-24348, CVSS 7.7) let attackers read secrets across Argo CD tenants — GitOps trust needs hardening, not just adoption.

Jul 12, 20266 min read
Application Security

Argument injection in Git and Mercurial CLI wrappers

A branch name like --upload-pack=/bin/sh isn't a string to Git — it's a flag. CVE-2017-1000117 and CVE-2017-1000116 show why that distinction matters.

Jul 10, 20266 min read
Container Security

Building minimal, non-root Java containers with distroless and JVM hardening

A typical java:17 image ships a full OS and root shell; distroless plus JVM container-awareness flags cut that attack surface to almost nothing.

Jul 10, 20266 min read
FAQ

SBOM Compliance Requirements FAQ: NTIA Elements, Formats, and Mandates

A precise FAQ on SBOM compliance in 2026 — the NTIA minimum elements, accepted formats, where SBOMs are actually mandated (federal, FDA, EU CRA), depth, VEX, and generation.

Jul 8, 20266 min read
Application Security

Browser extensions are the softest target in your stack

A patched Grammarly bug let any website steal a user's documents; a 2025 flaw in Anthropic's Claude extension enabled silent prompt injection. Extensions keep failing the same three ways.

Jul 8, 20267 min read
Application Security

Designing Secure Fastify Plugin Boundaries

Fastify's encapsulation model isolates plugin state by default — but one `fastify-plugin` wrapper or a stray `skip-override` symbol can silently punch a hole through every boundary you had.

Jul 8, 20267 min read
Application Security

When Node.js sandboxing stops at the C++ boundary

Node's permission model can block a native addon from loading at all — but once it's in, a single buffer overflow in C++ can corrupt the whole process.

Jul 8, 20267 min read
Container Security

Building a minimal, multi-stage, non-root Dockerfile for PHP

The official php:fpm image still runs its master process as root — a documented, still-open issue. Here's how to build a PHP Dockerfile that doesn't.

Jul 8, 20267 min read
AI Security

The blind spots of single-model AI security tooling

OpenAI's API went down three separate times in 2024 alone — if your SAST pipeline hard-depends on one model provider, its outages and blind spots become yours.

Jul 8, 20266 min read
AI Security

Security Practices for GitHub Copilot and AI Coding Assistants

Copilot suggested 2,702 hardcoded secrets from just 900 prompts in one study, and at least 200 were live credentials — adoption without policy is a leak waiting to happen.

Jul 8, 20266 min read
DevSecOps

CI/CD Supply Chain Attacks Explained: Anatomy and Defense

From SolarWinds to tj-actions, CI/CD pipelines are where one foothold reaches thousands of victims. This guide explains the anatomy of a pipeline supply chain attack and the layered defenses that stop it.

Jul 7, 20267 min read
Tutorials

How to Remediate Transitive Dependency Vulnerabilities

Fix vulnerabilities in the nested packages you never installed directly — trace the import chain, choose between upgrading the parent or overriding the child, and verify the fix without breaking builds.

Jul 7, 20265 min read
supply-chain — Safeguard Blog