supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Securing MCP server registries: risks of unvetted AI tool...
Unvetted MCP servers already power tool poisoning and rug-pull attacks. Here's why package scanning like JFrog's isn't enough, and how to actually secure your MCP registry.
Anatomy of a trust center: what enterprise buyers should ...
A practical checklist for evaluating vendor trust centers—using JFrog as a reference point—covering SOC 2 scope, SBOM provenance, and disclosure SLAs enterprise buyers often miss.
Zip Slip vulnerability cheat sheet
A concrete, question-driven cheat sheet on Zip Slip: how the archive-extraction path traversal bug works, real CVEs, and how to detect and fix it.
How to prevent log injection vulnerabilities in Node.js
Log injection lets attackers forge log entries in Node.js apps via unsanitized input. Learn the sanitization, encoding, and structured-logging fixes that stop it.
npm's shift from implicit to explicit trust: what changed...
npm quietly rebuilt its trust model in 2025 after the chalk/debug hijack and the Shai-Hulud worm. Here's what changed, why JFrog's curation model isn't enough, and how Safeguard closes the gap.
Claude Opus 4.8 for Security Teams: Capabilities, AppSec Use, and Governance (May 2026)
Anthropic shipped Claude Opus 4.8 on May 28, 2026, with sharper agentic coding and better honesty about its own work. Here is what it changes for vulnerability triage, fix-PRs, and the governance you need before it touches your pipeline.
Securing AI coding assistants: governance patterns for to...
AI coding assistants like Claude Code and Cursor now write, install, and execute code with minimal oversight. Here's the governance framework that closes the gap JFrog's artifact scanning leaves open.
Policy-as-code for CI/CD: enforcing security gates withou...
How policy-as-code turns security gates from build-breaking friction into fast, git-versioned CI/CD checks — and where Safeguard's approach differs from JFrog's Xray and Curation model.
10 npm security best practices
Real npm supply-chain incidents from event-stream to the 2025 chalk/debug hack, and 10 concrete practices to stop install-time attacks, typosquatting, and token theft.
Python security best practices cheat sheet
A no-fluff cheat sheet of concrete Python security fixes—dependency pinning, pickle/eval risks, PyPI trust signals, and CI gates—with real CVEs and commands.
Software Composition Analysis (SCA) explained: how it fin...
SCA scans your dependency tree against CVE databases to catch vulnerable open-source packages like Log4Shell before they reach production.
10 Java security best practices
10 Java security best practices security teams should enforce across dependency management, deserialization, injection, secrets, and build pipelines.