supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1052 articles
Building a secure CI/CD pipeline with GitHub Actions
The tj-actions breach exposed secrets in 23,000 repos. Here's how pwn requests, unpinned tags, and self-hosted runners put your CI/CD at risk.
Exploring vulnerabilities in GitHub Actions workflows
From the tj-actions/changed-files hijack to PyTorch's self-hosted runner breach, real incidents show how GitHub Actions workflows keep getting exploited.
Securing self-hosted GitHub Actions runners
Self-hosted GitHub Actions runners trade GitHub's ephemeral isolation for persistent infrastructure access — here's how real incidents like CVE-2025-30066 exploited that gap.
Finding and fixing exposed hardcoded secrets in GitHub projects
Hardcoded secrets leak into GitHub every day and get exploited within minutes. Here's how to find, fix, and prevent exposed credentials at scale.
Automated Dependency Patches: How Endor-Style Patch Gener...
Endor Labs generates automated dependency patches using reachability and AI rewrites. Here's how the pipeline works, where it breaks, and Safeguard's approach.
CVE vs CVSS vs EPSS vs SSVC scoring compared
CVE tells you a flaw exists, CVSS rates severity, EPSS predicts exploitation, and SSVC drives decisions. Here's how Safeguard and Socket.dev use each differently.
SSO, SCIM, and Vanta integrations for compliance-driven t...
How SSO, SCIM, and native Vanta integration shape audit readiness for supply chain security tools, and where Safeguard's approach differs from Socket.dev's.
GDPR compliance considerations for application security teams
GDPR's Article 32 doesn't name SAST or SBOM, but fines like Meta's €1.2B and BA's £20m trace straight back to AppSec gaps.
Does Socket.dev store or upload your source code?
Does Socket.dev see your proprietary source code? Here's how dependency scanners access repos, and where Safeguard draws the compliance line.
FedRAMP authorization for cloud service providers explained
A concrete walkthrough of FedRAMP authorization for CSPs: impact levels, control counts, timelines, costs, FedRAMP 20x, and continuous monitoring deadlines.
Malicious postinstall scripts in npm packages
From eslint-scope in 2018 to the 2025 Shai-Hulud worm, npm postinstall scripts keep delivering malware before any scan or review runs. Here's how it works and what stops it.
Malicious PyPI packages: common infiltration patterns
Real malicious PyPI package examples — typosquats, dependency confusion, hijacked maintainers, and crypto stealers — and how Safeguard catches them before install.