Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1053 articles

Open Source Security

Hex.pm package registry security and Elixir supply chain ...

Hex.pm blocks install-time scripts npm allows, but Elixir dependency risk still hides in native builds, Erlang CVEs, and thin registry-side vetting. Here's what to watch.

Feb 1, 20267 min read
Open Source Security

Mix dependency management and mix.lock integrity in Elixi...

A practical guide to mix.lock integrity: pinning Elixir dependencies, verifying lockfile hashes, and preventing supply chain tampering in mix.exs projects.

Feb 1, 20268 min read
Container Security

What is Image Signing

Container image signing binds a cryptographic signature to an image's digest so you can prove what's running is what was actually built — not just scanned.

Feb 1, 20267 min read
Open Source Security

Finding vulnerable .NET dependencies with dotnet list pac...

A step-by-step guide to scanning C# projects for vulnerable NuGet packages using dotnet list package --vulnerable, plus how to fix and monitor them continuously.

Jan 31, 20267 min read
Open Source Security

Case study: a malicious NuGet package compromise and its ...

Inside the Moq/SponsorLink malicious NuGet package incident: what shipped, who was exposed, and how to harden your .NET build pipeline against the next one.

Jan 30, 20268 min read
Software Supply Chain Security

CocoaPods supply chain security and Podfile.lock integrit...

A 2024 CocoaPods Trunk server flaw let attackers hijack orphaned pods and exposed a deeper gap: Podfile.lock never verified dependency integrity in the first place.

Jan 30, 20267 min read
Open Source Security

Swift Package Manager dependency resolution and pinning s...

SPM trusts mutable git tags, not signed artifacts. Here's how dependency resolution, Package.resolved integrity, and pinning gaps expose Swift apps to supply chain attacks.

Jan 30, 20266 min read
Open Source Security

Maven Central dependency confusion and namespace collisio...

How Maven's groupId system and multi-repo resolution let attackers slip malicious packages into Java builds — and how to close the internal vs public repo gap.

Jan 29, 20267 min read
Open Source Security

Scanning Kotlin and Android projects with OWASP Dependenc...

A step-by-step guide to scanning Kotlin and Android projects with OWASP Dependency-Check: Gradle plugin setup, CI automation, triage, and suppressions.

Jan 29, 20268 min read
Open Source Security

PyPI typosquatting and malicious Python packages targetin...

PyPI typosquatting lets attackers slip malicious Python packages into your build with one typo. Real attacks, why PyPI is exposed, and how to stay safe.

Jan 28, 20267 min read
Regulatory Compliance

Django SECRET_KEY exposure and settings.py secret managem...

A Django SECRET_KEY exposure can silently unravel session security, CSRF protection, and signed tokens. Here's how to find, fix, and prevent it for good.

Jan 28, 20268 min read
Best Practices

What is the Principle of Least Functionality

The principle of least functionality (NIST CM-7) means shipping only the ports, services, and code a system needs—nothing extra "just in case."

Jan 27, 20267 min read
supply-chain-security (Page 48) — Safeguard Blog