Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Open Source Security

Contributing to open source securely: a guide for new maintainers and PR authors

It took roughly two years of trusted commits before the xz-utils backdoor shipped. Here's how new contributors avoid becoming the next weak link.

Jul 12, 20267 min read
Container Security

The Four Most Common Docker Image Vulnerabilities (And How to Fix Them)

Sysdig found 76% of containers still run as root — one of four Docker image flaws that turn a routine build into a host compromise.

Jul 12, 20266 min read
Container Security

Securing a Dockerized Rails Local Dev Environment

A misplaced master.key or a permissive COPY . . can bake Rails credentials into an image layer forever — here's how to Dockerize Rails dev safely.

Jul 12, 20266 min read
Supply Chain Security

Generating CycloneDX and SPDX SBOMs from Java Projects with Maven and Gradle

CISA's 2025 draft update proposes four new fields on top of NTIA's minimum elements, from 7 to 11 — most Maven and Gradle-generated SBOMs still fail that bar.

Jul 12, 20266 min read
Container Security

Minimal container images with ko: evaluating distroless Go builds

ko builds Go containers straight from source onto a shell-less distroless base with no Dockerfile — cutting attack surface, and debugging tools, at once.

Jul 12, 20267 min read
DevSecOps

Securing Playwright E2E Tests in GitHub Actions Without Leaking Secrets

A 2025 supply-chain attack on tj-actions/changed-files hit 23,000+ repos and dumped secrets into public logs — the same CI patterns power most Playwright pipelines.

Jul 12, 20267 min read
Vulnerability Management

Root cause: CVE-2022-40764, the Snyk CLI command injection

A crafted vendor.json field let attackers run shell commands from inside a security scanner — CVE-2022-40764 shows why CLI tools must never build shell strings.

Jul 12, 20266 min read
Cloud Security

Connecting build, deploy, and runtime security into one AppSec lifecycle

The XZ Utils backdoor (CVE-2024-3094) was found in the build chain; most tools that would have caught it stop at deploy. Here's how to close that gap.

Jul 11, 20267 min read
Container Security

Container-handling security fundamentals: immutability, signing, and privilege drops

Two runc CVEs, five years apart, both turned root-in-container into root-on-host — proof that container isolation needs backup, not blind trust.

Jul 11, 20267 min read
Container Security

Container security: five best practices for provenance, runtime, and network

A single runc bug (CVE-2024-21626) enabled full container escapes in early 2024 — proof that provenance and network defaults matter as much as image scanning.

Jul 11, 20266 min read
Application Security

A hardening checklist for modern Drupal deployments

Drupal 7's 2025 end-of-life left unsupported sites exposed; here's a concrete checklist for module vetting, access control, and patch cadence on Drupal 10/11.

Jul 11, 20266 min read
Supply Chain Attacks

Dependency confusion on npm: how public-registry precedence became a delivery channel for post-exploitation frameworks

In May 2022, Snyk found 200+ malicious npm packages, including one that polled for commands until it dropped a Cobalt Strike trojan, and another that delayed 30 minutes to dodge sandboxes.

Jul 11, 20265 min read
supply-chain-security (Page 4) — Safeguard Blog