supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Why You Need a Kubernetes Admission Controller
RBAC decides who can call the Kubernetes API — it has no concept of what a pod spec contains, which is why privileged containers still slip through into clusters every day.
Foundations for adopting AI coding tools securely in an engineering org
One engineering team cut critical vulnerability remediation from a week to 24 hours after wiring security checks into AI coding tools at the moment of code generation.
How the security industry is scaling partnerships for AI risk
No vendor covers model security, agent runtime policy, supply-chain risk, and code-level AppSec alone — partner-sourced ARR at one major vendor grew over 6x from 2023 to 2025.
Malicious code in scoped npm packages: what the Miasma attack teaches
32 releases under the trusted @redhat-cloud-services npm scope shipped credential-stealing malware in June 2026 — with valid SLSA provenance attached.
New security risks across the agentic development lifecycle
Snyk found 76 confirmed-malicious skills among 3,984 analyzed and roughly a third of public MCP servers carrying exploitable flaws — legacy AppSec never modeled an agent as the author.
Protestware via prompt injection: when maintainers target AI agents
jqwik 1.10.0 shipped a hidden instruction telling AI coding agents to delete their own tests, then erased it from the terminal with ANSI codes — protestware built for agents, not humans.
Should open source maintainers get free enterprise security tooling?
80-90% of the average codebase is open source, built largely by unpaid maintainers — Snyk's year-old maintainer program now covers 60+ projects for free.
What a good AI remediation agent needs to fix dependencies safely
Snyk's CLI remediation agent pushed fix rates from 23% to 45% with an intelligence layer — but the harder problem is making an agent developers trust to touch their lockfile unsupervised.
What agentic coding environments reveal about developer risk
Snyk analyzed nearly 10,000 real developer environments and found 43% run 2+ AI coding tools at once — with MCP servers and skills quietly widening the attack surface.
Data Flow Diagrams for Threat Modeling
A data flow diagram maps how data moves through a system and where trust changes — the foundation most threat modeling is built on. Here's how to draw one that actually surfaces threats.
Elixir and Phoenix Security Best Practices: BEAM Footguns and the Hex Supply Chain
Phoenix is safe by default, but the BEAM has its own footguns — binary_to_term, atom exhaustion, dynamic eval — and the Erlang/OTP runtime beneath it shipped a CVSS 10.0 pre-auth SSH RCE in 2025.
Go Dependency Management Security: go.mod Hygiene That Actually Reduces Risk
Minimal version selection, indirect dependencies, replace directives, and the update cadence nobody documents. A practical guide to keeping your Go dependency graph both current and trustworthy.