Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

AI Security

Securing MCP server registries: risks of unvetted AI tool...

Unvetted MCP servers already power tool poisoning and rug-pull attacks. Here's why package scanning like JFrog's isn't enough, and how to actually secure your MCP registry.

May 30, 20268 min read
Compliance

Anatomy of a trust center: what enterprise buyers should ...

A practical checklist for evaluating vendor trust centers—using JFrog as a reference point—covering SOC 2 scope, SBOM provenance, and disclosure SLAs enterprise buyers often miss.

May 30, 20267 min read
Application Security

Zip Slip vulnerability cheat sheet

A concrete, question-driven cheat sheet on Zip Slip: how the archive-extraction path traversal bug works, real CVEs, and how to detect and fix it.

May 29, 20268 min read
Application Security

How to prevent log injection vulnerabilities in Node.js

Log injection lets attackers forge log entries in Node.js apps via unsanitized input. Learn the sanitization, encoding, and structured-logging fixes that stop it.

May 29, 20266 min read
Open Source Security

npm's shift from implicit to explicit trust: what changed...

npm quietly rebuilt its trust model in 2025 after the chalk/debug hijack and the Shai-Hulud worm. Here's what changed, why JFrog's curation model isn't enough, and how Safeguard closes the gap.

May 29, 20267 min read
AI Security

Claude Opus 4.8 for Security Teams: Capabilities, AppSec Use, and Governance (May 2026)

Anthropic shipped Claude Opus 4.8 on May 28, 2026, with sharper agentic coding and better honesty about its own work. Here is what it changes for vulnerability triage, fix-PRs, and the governance you need before it touches your pipeline.

May 28, 202616 min read
AI Security

Securing AI coding assistants: governance patterns for to...

AI coding assistants like Claude Code and Cursor now write, install, and execute code with minimal oversight. Here's the governance framework that closes the gap JFrog's artifact scanning leaves open.

May 28, 20267 min read
DevSecOps

Policy-as-code for CI/CD: enforcing security gates withou...

How policy-as-code turns security gates from build-breaking friction into fast, git-versioned CI/CD checks — and where Safeguard's approach differs from JFrog's Xray and Curation model.

May 28, 20268 min read
Open Source Security

10 npm security best practices

Real npm supply-chain incidents from event-stream to the 2025 chalk/debug hack, and 10 concrete practices to stop install-time attacks, typosquatting, and token theft.

May 28, 20267 min read
Application Security

Python security best practices cheat sheet

A no-fluff cheat sheet of concrete Python security fixes—dependency pinning, pickle/eval risks, PyPI trust signals, and CI gates—with real CVEs and commands.

May 28, 20261 min read
Application Security

Software Composition Analysis (SCA) explained: how it fin...

SCA scans your dependency tree against CVE databases to catch vulnerable open-source packages like Log4Shell before they reach production.

May 28, 20267 min read
Application Security

10 Java security best practices

10 Java security best practices security teams should enforce across dependency management, deserialization, injection, secrets, and build pipelines.

May 27, 20267 min read
supply-chain-security (Page 28) — Safeguard Blog