supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
What Is an Artifact Attestation?
An artifact attestation is a signed, machine-readable claim about a software artifact, bound to it by digest. Here's how the in-toto structure works and what kinds of claims it carries.
Software Composition Analysis (SCA) Explained
SCA finds every open-source package in your app — but knowing it's there isn't knowing it's exploitable. Here's what Log4Shell, xz, and Snyk's approach got right and wrong.
Container Image Scanning Best Practices
A practical guide to container image scanning: when to scan, what to block, what scanners like Snyk miss, and how to build a policy that actually gets remediated.
Dependabot alerts vs CodeQL analysis: what's the difference
Dependabot flags known vulnerabilities in dependencies; CodeQL finds flaws in your own code. Here's how the two differ inside GitHub Advanced Security.
Securing the Go Modules Supply Chain: Proxy, Checksums, and Provenance End to End
The Go module system ships with a tamper-evident checksum log and a public proxy most teams never configure deliberately. Here's how to turn those defaults into a real supply-chain control plane.
AIBOM (AI Bill of Materials): Frequently Asked Questions
A practical FAQ on AI bills of materials in 2026 — what an AIBOM captures, how it extends SBOMs to models and datasets, model provenance risks, formats, and governance drivers.
Jackson-databind Polymorphic Deserialization Gadget (CVE-2019-12384) Explained
CVE-2019-12384 chained a logback gadget with H2's RUNSCRIPT to turn default typing into code execution. Here's the mechanism, the classpath caveat, and how to fix it for good.
Mini Shai-Hulud AntV npm packages compromise
A compromised npm maintainer account pushed 639 malicious @antv package versions in 10 minutes, stealing CI/CD secrets via a fake OpenTelemetry channel.
Software Supply Chain Security for Government
Executive Order 14028, OMB self-attestation, the CISA attestation form, NIST SSDF, and FedRAMP have made secure software development a condition of selling to government. Here is what agencies and their vendors need.
Software Supply Chain Security for AppSec Leads
AppSec leads own the program that turns scanner noise into fixed risk. Here is how to consolidate tooling, prioritize by reachability, win developer trust, and measure a program by remediation velocity instead of finding count.
Software Supply Chain Security for DevOps Teams
DevOps teams own the pipeline, and the pipeline is now the primary target. Here is how to secure build, artifact, and deploy without turning delivery speed into collateral damage.
Swift and iOS Security Best Practices: Storage, Transport, and the Dependency Supply Chain
iOS gives you a hardware-backed Keychain, Data Protection, and App Transport Security. Most iOS app breaches come from switching those defaults off — and from unaudited SwiftPM dependencies.