supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Recurring vulnerability patterns in the PyPI ecosystem
PyYAML shipped two rounds of deserialization fixes in under two years — CVE-2017-18342 and CVE-2020-14343 — because the underlying pattern kept resurfacing.
Typosquatting and dependency confusion: a defense guide
In 2021 one researcher got code execution inside 35+ companies for $130,000+ in bounties — without exploiting a single vulnerability. Here's how to close the gap.
Can AI-Generated Code Be Trusted? A Security Review
A 2025 USENIX study found LLMs hallucinate nonexistent packages in up to 21.7% of code samples — and attackers are already registering the names.
Containerizing Node.js apps: an updated Docker best-practices guide
The official node image ships a built-in non-root user, but COPY still writes files as root by default — most Node.js Dockerfiles never actually drop privileges.
DevSecOps best practices for secure builds: an 8-point SDLC framework
Log4Shell (Dec 2021) and the XZ Utils backdoor (Mar 2024) exposed two different SDLC failure modes. An 8-point framework closes both.
Docker image vulnerability scanning: best practices for CI/CD
Log4Shell hid in countless container images for years before scanning caught it. Here's how to scan base layers and gate builds before that happens again.
The NSA/CISA Enduring Security Framework Guide for Developers, Reviewed
NSA, CISA, and ODNI published developer supply-chain guidance in August 2022 — four years on, here's what it actually asks of your pipeline.
The faker.js and colors.js Sabotage: What Maintainer-Driven Risk Teaches About Pinning
In January 2022 a trusted maintainer bricked two npm packages with a combined 26M+ weekly downloads — from his own account, with valid credentials.
A patching playbook for critical open-source CVEs
Heartbleed, the OpenSSL punycode bug, and XZ Utils each broke a different assumption in incident response. Here's an SLA-driven playbook that survives all three.
Securing Your Ruby Dev Environment on macOS: rbenv, rvm, and Checksums
60 malicious RubyGems downloaded ~275,000 times went undetected for years — here's how to actually verify what rbenv or rvm installs on your Mac.
Choosing a secure Node.js Docker base image
A stock node:18 image ships at roughly 940MB with 100-200 tracked CVEs; distroless variants land 80% smaller with 0-2. Here's the real tradeoff.
Security considerations for authenticating CLI tools through corporate proxies
Two 2026 curl CVEs show proxy credentials leaking across redirects and reused connections — plus why .npmrc still stores proxy passwords in plaintext.