supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Image Signing with Cosign and Sigstore
A container image tag proves nothing about who built the image or whether it was tampered with. Cosign and Sigstore fix that with cryptographic signatures and a public transparency log — here is how to sign, verify, and enforce.
JavaScript Dependency Vulnerability Scanning: Beyond npm audit
npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.
JVM Supply Chain Security: Securing the Path from Source to Artifact
Your JVM supply chain spans repositories, build tools, plugins, and artifacts. Here's how to secure each link — from dependency confusion to artifact signing.
Securing Your Python Supply Chain on PyPI
Typosquats, dependency confusion, and account takeovers all target the same moment: pip install. Here is how to make that moment trustworthy.
Software Supply Chain Security for Automotive
UNECE R155 and R156, ISO/SAE 21434, and OEM SBOM flow-down have made the software supply chain a type-approval issue for vehicles. Here is what OEMs and suppliers need to build into their programs.
What Is the in-toto Framework?
in-toto is a framework for cryptographically verifying that every step in a software supply chain was performed as planned by authorized parties. Here's how layouts, link metadata, and functionaries fit together.
Governing MCP tools with per-tenant feature flags
Safeguard's MCP server exposes 650+ tools. Here's how per-tool feature flags keep each tenant scoped to exactly what it needs — with safe defaults and a fail-safe that narrows, never widens, on error.
Snyk vs Black Duck (Synopsys) Comparison
Snyk vs Black Duck comparison for security buyers: how the two SCA platforms differ on workflow, coverage, and compliance — and where Safeguard fits.
Open Source License Compliance: Frequently Asked Questions
A clear FAQ on open-source license compliance in 2026 — permissive vs copyleft, SPDX identifiers, AGPL and SaaS, attribution obligations, license changes, and automated scanning.
Scala Security Best Practices: JVM Supply Chain, Deserialization, and Framework CVEs
Scala's expressive type system does nothing about the JVM attack surface underneath it. Log4Shell, Jackson gadget chains, and Spark's command-injection CVE all reach Scala code directly.
The Security Design Review: A Practical Guide
A security design review examines a system's architecture before it is built to find flaws that no code scanner can catch. Here's how to run one that finds real problems while they are still cheap to fix.
Software Supply Chain Security for SaaS
SaaS companies are a supply chain for everyone else, which is why the EU Cyber Resilience Act, NIS2, SOC 2, and DORA now push obligations onto them. Here is how to build a program that satisfies customers and regulators alike.