Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Concepts

What Is an Artifact Attestation?

An artifact attestation is a signed, machine-readable claim about a software artifact, bound to it by digest. Here's how the in-toto structure works and what kinds of claims it carries.

Jul 4, 20266 min read
Open Source Security

Software Composition Analysis (SCA) Explained

SCA finds every open-source package in your app — but knowing it's there isn't knowing it's exploitable. Here's what Log4Shell, xz, and Snyk's approach got right and wrong.

Jul 4, 20267 min read
Container Security

Container Image Scanning Best Practices

A practical guide to container image scanning: when to scan, what to block, what scanners like Snyk miss, and how to build a policy that actually gets remediated.

Jul 4, 20268 min read
Product

Dependabot alerts vs CodeQL analysis: what's the difference

Dependabot flags known vulnerabilities in dependencies; CodeQL finds flaws in your own code. Here's how the two differ inside GitHub Advanced Security.

Jul 4, 20268 min read
Security Guides

Securing the Go Modules Supply Chain: Proxy, Checksums, and Provenance End to End

The Go module system ships with a tamper-evident checksum log and a public proxy most teams never configure deliberately. Here's how to turn those defaults into a real supply-chain control plane.

Jul 3, 20266 min read
FAQ

AIBOM (AI Bill of Materials): Frequently Asked Questions

A practical FAQ on AI bills of materials in 2026 — what an AIBOM captures, how it extends SBOMs to models and datasets, model provenance risks, formats, and governance drivers.

Jul 3, 20266 min read
Vulnerability Analysis

Jackson-databind Polymorphic Deserialization Gadget (CVE-2019-12384) Explained

CVE-2019-12384 chained a logback gadget with H2's RUNSCRIPT to turn default typing into code execution. Here's the mechanism, the classpath caveat, and how to fix it for good.

Jul 3, 20265 min read
Software Supply Chain Security

Mini Shai-Hulud AntV npm packages compromise

A compromised npm maintainer account pushed 639 malicious @antv package versions in 10 minutes, stealing CI/CD secrets via a fake OpenTelemetry channel.

Jul 3, 20267 min read
Solutions

Software Supply Chain Security for Government

Executive Order 14028, OMB self-attestation, the CISA attestation form, NIST SSDF, and FedRAMP have made secure software development a condition of selling to government. Here is what agencies and their vendors need.

Jul 3, 20265 min read
Solutions

Software Supply Chain Security for AppSec Leads

AppSec leads own the program that turns scanner noise into fixed risk. Here is how to consolidate tooling, prioritize by reachability, win developer trust, and measure a program by remediation velocity instead of finding count.

Jul 3, 20266 min read
Solutions

Software Supply Chain Security for DevOps Teams

DevOps teams own the pipeline, and the pipeline is now the primary target. Here is how to secure build, artifact, and deploy without turning delivery speed into collateral damage.

Jul 3, 20266 min read
Security Guides

Swift and iOS Security Best Practices: Storage, Transport, and the Dependency Supply Chain

iOS gives you a hardware-backed Keychain, Data Protection, and App Transport Security. Most iOS app breaches come from switching those defaults off — and from unaudited SwiftPM dependencies.

Jul 3, 20266 min read
supply-chain-security (Page 18) — Safeguard Blog