supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1052 articles
Android application security best practices
A practical, evidence-based guide to Android app security: data storage, network hardening, SDK risk, and CI/CD signing, with concrete CVEs and stats.
Securing mobile app dependencies: CocoaPods and Gradle
CocoaPods and Gradle power millions of mobile apps. See how orphaned pods, build-script RCE, and dependency confusion put them at real risk today.
OSS container image scanning tools compared
Trivy finds CVEs fast and free. Safeguard compares how each handles fleet-wide inventory, triage, policy enforcement, and audit evidence at scale.
GitHub secret scanning vs dedicated scanning tools
GitHub secret scanning vs Trivy: how push protection, validity checks, and multi-source coverage differ, and where Safeguard fits for cross-repo remediation.
Electron app security best practices
nodeIntegration, contextIsolation, Chromium patch lag, and npm supply chain risk: the Electron security best practices that actually stop RCE.
Securing IoT device firmware supply chains
How Ripple20, Mirai, and Realtek SDK flaws exposed IoT firmware supply chains, what EU CRA and FDA SBOM rules require, and what reachability adds.
How Trivy sources vulnerability data (NVD, vendor advisor...
Trivy's CVE data comes from NVD, GHSA, and distro trackers compiled into a periodic snapshot — not kube-hunter. Here's how the pipeline really works, and where it lags.
CNAPP according to Gartner: capabilities and evaluation c...
Gartner's CNAPP framework demands unified risk correlation, not bundled scanners. Here's how Trivy (Aqua) maps to it — and where supply chain security closes the gap.
Container security best practices checklist
A practical container security checklist covering base images, scanning limits, runtime risk, and why CVE scans like Trivy alone miss most real supply chain threats.
Risk-based vulnerability management explained
Why CVSS severity alone fails to prioritize vulnerabilities, how Trivy's default scoring falls short, and how EPSS, CISA KEV, and reachability data cut remediation backlogs by 95%+.
5 risks of open source software in 2026
Open source now makes up most enterprise code. Here are 5 risks defining open source software security in 2026 — and how to close the exploitability gap.
JavaScript frameworks security report
Safeguard's H1 2026 audit finds 61% of JS repos ship a high-severity framework CVE, with a 47-day median patch lag attackers routinely beat.