Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Container Security

Image Signing with Cosign and Sigstore

A container image tag proves nothing about who built the image or whether it was tampered with. Cosign and Sigstore fix that with cryptographic signatures and a public transparency log — here is how to sign, verify, and enforce.

Jul 6, 20265 min read
Security Guides

JavaScript Dependency Vulnerability Scanning: Beyond npm audit

npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.

Jul 6, 20266 min read
Security Guides

JVM Supply Chain Security: Securing the Path from Source to Artifact

Your JVM supply chain spans repositories, build tools, plugins, and artifacts. Here's how to secure each link — from dependency confusion to artifact signing.

Jul 6, 20265 min read
Security Guides

Securing Your Python Supply Chain on PyPI

Typosquats, dependency confusion, and account takeovers all target the same moment: pip install. Here is how to make that moment trustworthy.

Jul 6, 20265 min read
Solutions

Software Supply Chain Security for Automotive

UNECE R155 and R156, ISO/SAE 21434, and OEM SBOM flow-down have made the software supply chain a type-approval issue for vehicles. Here is what OEMs and suppliers need to build into their programs.

Jul 6, 20266 min read
Concepts

What Is the in-toto Framework?

in-toto is a framework for cryptographically verifying that every step in a software supply chain was performed as planned by authorized parties. Here's how layouts, link metadata, and functionaries fit together.

Jul 6, 20266 min read
AI Security

Governing MCP tools with per-tenant feature flags

Safeguard's MCP server exposes 650+ tools. Here's how per-tool feature flags keep each tenant scoped to exactly what it needs — with safe defaults and a fail-safe that narrows, never widens, on error.

Jul 6, 20263 min read
Buyer's Guides

Snyk vs Black Duck (Synopsys) Comparison

Snyk vs Black Duck comparison for security buyers: how the two SCA platforms differ on workflow, coverage, and compliance — and where Safeguard fits.

Jul 6, 20268 min read
FAQ

Open Source License Compliance: Frequently Asked Questions

A clear FAQ on open-source license compliance in 2026 — permissive vs copyleft, SPDX identifiers, AGPL and SaaS, attribution obligations, license changes, and automated scanning.

Jul 5, 20266 min read
Security Guides

Scala Security Best Practices: JVM Supply Chain, Deserialization, and Framework CVEs

Scala's expressive type system does nothing about the JVM attack surface underneath it. Log4Shell, Jackson gadget chains, and Spark's command-injection CVE all reach Scala code directly.

Jul 5, 20266 min read
Concepts

The Security Design Review: A Practical Guide

A security design review examines a system's architecture before it is built to find flaws that no code scanner can catch. Here's how to run one that finds real problems while they are still cheap to fix.

Jul 5, 20267 min read
Solutions

Software Supply Chain Security for SaaS

SaaS companies are a supply chain for everyone else, which is why the EU Cyber Resilience Act, NIS2, SOC 2, and DORA now push obligations onto them. Here is how to build a program that satisfies customers and regulators alike.

Jul 5, 20266 min read
supply-chain-security (Page 16) — Safeguard Blog