Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

DevSecOps

DevSecOps on AWS: a reference architecture for CI/CD security gates

Amazon Inspector, CodePipeline manual approvals, and SLSA v1.0 (April 2023) give you the primitives — but nobody ships them wired together as one gated pipeline.

Jul 8, 20266 min read
Container Security

Docker best practices for Node.js developers in 2026

Multi-stage builds can cut a Node.js image from 1GB+ down to under 150MB — but most teams still ship dev dependencies, root shells, and unscanned base layers to production.

Jul 8, 20267 min read
DevSecOps

A reference architecture for SAST, SCA, and DAST gates that don't block developers

Log4Shell sat exploitable for 8 days before public disclosure in December 2021 — the canonical case for why security gates belong in CI, not just at release.

Jul 8, 20267 min read
Supply Chain Security

Enriching SBOMs with Vulnerability and License Metadata

A base SBOM only lists what's in your build — OSV.dev, EPSS, and OpenSSF Scorecard turn that inventory into a prioritized risk decision.

Jul 8, 20267 min read
DevSecOps

Protect the Environment: How Env-Var Leakage Happens in CI/CD

One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.

Jul 8, 20266 min read
Open Source Security

Shipping a Dual ESM/CJS npm Package Without Creating a Supply-Chain Hazard

Node's own docs call it a 'dual package hazard' — the same module loaded twice via require() and import can produce two objects that fail instanceof against each other.

Jul 8, 20267 min read
Supply Chain Security

Generating a CycloneDX/SPDX SBOM for a Node.js Application

npm has shipped a native `npm sbom` command since v9 — but a real supply chain program needs more than the CLI default. Here's how to do it right.

Jul 8, 20266 min read
Supply Chain Security

How Attackers Clone GitHub Repos to Ship Malware

One threat actor ran 3,000+ fake GitHub accounts and 2,200+ cloned repos to infect over 1,300 victims in four days. Here's how to spot the fakes.

Jul 8, 20267 min read
DevSecOps

The GitOps security model: risks and controls

GitOps turns a Git repo into a deploy button — Argo CD's own CVE-2022-24348 path traversal proved what happens when that button isn't locked down.

Jul 8, 20266 min read
DevSecOps

Hardening CI/CD Pipelines End to End

A leaked Codecov credential let attackers read CI secrets from 23,000+ customers for two months in 2021. Here's how to close every stage of that gap.

Jul 8, 20268 min read
Application Security

Designing an application security program from first principles

Two backdoors nine years apart — event-stream in 2018, XZ Utils in 2024 — show why code-only AppSec programs fail. Here's a four-layer framework built from scratch.

Jul 8, 20267 min read
Best Practices

Installing and Verifying Java on macOS Securely

A SHA-256 checksum only proves a JDK download wasn't corrupted in transit — it takes a GPG signature check to prove it actually came from the vendor you trust.

Jul 8, 20266 min read
supply-chain-security (Page 10) — Safeguard Blog