Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Supply Chain Security

Software Supply Chain Attack at Scale: npm, PyPI, and Docker Hub Hit in 48 Hours

GitGuardian documented three distinct supply-chain campaigns striking npm, PyPI, and Docker Hub inside a single 48-hour window in April 2026. The simultaneity tells you more about attacker tooling than any single payload does.

Jun 24, 20267 min read
Container Security

Helm chart security scanning

Helm charts can render insecure RBAC, network policies, and default passwords even when the container image itself passes every vulnerability scan cleanly.

Jun 24, 20267 min read
AI Security

Securing AI coding assistants (Claude Code, Copilot, etc.)

AI coding assistants like Claude Code and Copilot introduce new supply chain risks. Here's what's actually going wrong and how to secure your pipeline.

Jun 24, 20267 min read
Cloud Security

Code-to-cloud security (CNAPP-style end-to-end protection)

Checkmarx scans code and pipelines well, but stops short of live cloud context. Here is what code-to-cloud security actually requires, with real breach examples.

Jun 24, 20268 min read
Container Security

Detecting vulnerabilities in multi-stage Docker builds

Multi-stage Docker builds hide vulnerabilities, leaked secrets, and untracked dependencies in discarded layers. Here's what final-image scans miss and how to catch it.

Jun 24, 20266 min read
Container Security

Keeping Docker secrets secure without Kubernetes

Docker ships with tmpfs-backed Swarm secrets, BuildKit secret mounts, and Compose file secrets — here's how to use them without Kubernetes.

Jun 24, 20268 min read
DevSecOps

Reducing developer friction in AppSec adoption

Why traditional SAST tooling like Checkmarx creates developer friction, what it costs engineering teams, and how to build developer experience application security that ships.

Jun 24, 20268 min read
Supply Chain Security

CVE-2026-45321: Anatomy of the TanStack npm and PyPI Supply Chain Worm

The Mini Shai-Hulud worm hit TanStack, Mistral AI, UiPath and 170+ npm and PyPI packages by hijacking a trusted release pipeline mid-run. Here is how the software supply chain attack actually worked, and what it changes.

Jun 23, 20267 min read
Threat Intelligence

TeamPCP: Running a Software Supply Chain Attack Like a Production Pipeline

TeamPCP (UNC6780) is the most active actor in the 2026 supply chain corpus, weaponizing the tools developers trust most. Here is how the operation works, and why a zero-CVE campaign breaks the model most teams still rely on.

Jun 23, 20267 min read
Container Security

Container security throughout the SDLC

A clean build-time scan doesn't mean a secure container. Here's why container security has to span code, build, deploy, and runtime — with real CVE examples.

Jun 23, 20267 min read
Container Security

Minimizing container attack surface

Container images ship 400+ CVEs on average but under 15% are reachable. Learn concrete, numbers-backed steps to cut container attack surface.

Jun 23, 20266 min read
Container Security

Signing and verifying container images with Sigstore/cosign

How cosign and Sigstore replace long-lived signing keys with short-lived, identity-based certificates and a public transparency log for containers.

Jun 23, 20267 min read
supply-chain-security (Page 23) — Safeguard Blog