supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Software Supply Chain Attack at Scale: npm, PyPI, and Docker Hub Hit in 48 Hours
GitGuardian documented three distinct supply-chain campaigns striking npm, PyPI, and Docker Hub inside a single 48-hour window in April 2026. The simultaneity tells you more about attacker tooling than any single payload does.
Helm chart security scanning
Helm charts can render insecure RBAC, network policies, and default passwords even when the container image itself passes every vulnerability scan cleanly.
Securing AI coding assistants (Claude Code, Copilot, etc.)
AI coding assistants like Claude Code and Copilot introduce new supply chain risks. Here's what's actually going wrong and how to secure your pipeline.
Code-to-cloud security (CNAPP-style end-to-end protection)
Checkmarx scans code and pipelines well, but stops short of live cloud context. Here is what code-to-cloud security actually requires, with real breach examples.
Detecting vulnerabilities in multi-stage Docker builds
Multi-stage Docker builds hide vulnerabilities, leaked secrets, and untracked dependencies in discarded layers. Here's what final-image scans miss and how to catch it.
Keeping Docker secrets secure without Kubernetes
Docker ships with tmpfs-backed Swarm secrets, BuildKit secret mounts, and Compose file secrets — here's how to use them without Kubernetes.
Reducing developer friction in AppSec adoption
Why traditional SAST tooling like Checkmarx creates developer friction, what it costs engineering teams, and how to build developer experience application security that ships.
CVE-2026-45321: Anatomy of the TanStack npm and PyPI Supply Chain Worm
The Mini Shai-Hulud worm hit TanStack, Mistral AI, UiPath and 170+ npm and PyPI packages by hijacking a trusted release pipeline mid-run. Here is how the software supply chain attack actually worked, and what it changes.
TeamPCP: Running a Software Supply Chain Attack Like a Production Pipeline
TeamPCP (UNC6780) is the most active actor in the 2026 supply chain corpus, weaponizing the tools developers trust most. Here is how the operation works, and why a zero-CVE campaign breaks the model most teams still rely on.
Container security throughout the SDLC
A clean build-time scan doesn't mean a secure container. Here's why container security has to span code, build, deploy, and runtime — with real CVE examples.
Minimizing container attack surface
Container images ship 400+ CVEs on average but under 15% are reachable. Learn concrete, numbers-backed steps to cut container attack surface.
Signing and verifying container images with Sigstore/cosign
How cosign and Sigstore replace long-lived signing keys with short-lived, identity-based certificates and a public transparency log for containers.