supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Contributing to open source securely: a guide for new maintainers and PR authors
It took roughly two years of trusted commits before the xz-utils backdoor shipped. Here's how new contributors avoid becoming the next weak link.
The Four Most Common Docker Image Vulnerabilities (And How to Fix Them)
Sysdig found 76% of containers still run as root — one of four Docker image flaws that turn a routine build into a host compromise.
Securing a Dockerized Rails Local Dev Environment
A misplaced master.key or a permissive COPY . . can bake Rails credentials into an image layer forever — here's how to Dockerize Rails dev safely.
Generating CycloneDX and SPDX SBOMs from Java Projects with Maven and Gradle
CISA's 2025 draft update proposes four new fields on top of NTIA's minimum elements, from 7 to 11 — most Maven and Gradle-generated SBOMs still fail that bar.
Minimal container images with ko: evaluating distroless Go builds
ko builds Go containers straight from source onto a shell-less distroless base with no Dockerfile — cutting attack surface, and debugging tools, at once.
Securing Playwright E2E Tests in GitHub Actions Without Leaking Secrets
A 2025 supply-chain attack on tj-actions/changed-files hit 23,000+ repos and dumped secrets into public logs — the same CI patterns power most Playwright pipelines.
Root cause: CVE-2022-40764, the Snyk CLI command injection
A crafted vendor.json field let attackers run shell commands from inside a security scanner — CVE-2022-40764 shows why CLI tools must never build shell strings.
Connecting build, deploy, and runtime security into one AppSec lifecycle
The XZ Utils backdoor (CVE-2024-3094) was found in the build chain; most tools that would have caught it stop at deploy. Here's how to close that gap.
Container-handling security fundamentals: immutability, signing, and privilege drops
Two runc CVEs, five years apart, both turned root-in-container into root-on-host — proof that container isolation needs backup, not blind trust.
Container security: five best practices for provenance, runtime, and network
A single runc bug (CVE-2024-21626) enabled full container escapes in early 2024 — proof that provenance and network defaults matter as much as image scanning.
A hardening checklist for modern Drupal deployments
Drupal 7's 2025 end-of-life left unsupported sites exposed; here's a concrete checklist for module vetting, access control, and patch cadence on Drupal 10/11.
Dependency confusion on npm: how public-registry precedence became a delivery channel for post-exploitation frameworks
In May 2022, Snyk found 200+ malicious npm packages, including one that polled for commands until it dropped a Cobalt Strike trojan, and another that delayed 30 minutes to dodge sandboxes.