Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Supply Chain Security

The C++ supply chain has no npm — and that's the risk

C++ has no single package registry like npm or PyPI, so vendored code hides provenance — the XZ Utils backdoor (CVE-2024-3094, CVSS 10.0) shows the cost.

Jul 11, 20266 min read
Supply Chain Attacks

The anatomy of a PyPI credential stealer

In a single 24-hour window in 2022, one actor shipped 12 malicious PyPI packages bundling Windows stealers that harvested browser, Discord, and Roblox credentials.

Jul 11, 20267 min read
Open Source Security

Bundler dependency resolution and safe Gemfile upgrade strategies

In May 2026 RubyGems suspended new signups after attackers mass-created accounts to flood the registry with malicious gems. Here's how Bundler actually resolves risk.

Jul 11, 20266 min read
Supply Chain Attacks

How malicious Gemfile.lock entries redirect Ruby installs to attacker servers

A single unreviewed remote: line in Gemfile.lock can silently reroute a bundle install — here's how Ruby lockfile injection works and how to stop it.

Jul 11, 20266 min read
DevSecOps

Hardening a Java build pipeline in GitHub Actions

23,000+ repos leaked CI secrets when tj-actions/changed-files was hijacked in March 2025. Here's how to pin, OIDC, and sign a Java pipeline against that.

Jul 11, 20266 min read
AI Security

Least-privilege scoping for AI agents with write access to code, CI, and cloud

OWASP's 2025 LLM Top 10 names Excessive Agency a top risk; a single over-scoped CI token already dumped secrets from 23,000+ repos in 2025.

Jul 10, 20268 min read
AI Security

AI Code Generation: An Evaluation Framework for Gating Output Before Merge

NYU researchers found security weaknesses in ~40% of Copilot-generated programs. Here's how to gate AI code before it ever reaches main.

Jul 10, 20267 min read
Supply Chain Security

CI/CD pipeline hardening against supply chain attacks

23,000+ repos were exposed when tj-actions/changed-files was compromised in March 2025 — pinned SHAs and OIDC would have stopped it cold.

Jul 10, 20267 min read
Container Security

A Practical Container Security Checklist: From Base Image to Runtime

Standard Docker Hub images ship 50-60 known CVEs on average. Here's the checklist that gets containers from base image to runtime without carrying them along.

Jul 10, 20266 min read
Container Security

Docker secrets management without Kubernetes: BuildKit, Swarm, and env vars compared

BuildKit's --secret flag shipped in Docker 18.09 in 2018, yet ENV and --build-arg leaks into image layers remain the most common way containers ship credentials.

Jul 10, 20266 min read
Supply Chain Security

IDE extension marketplace trust and verification

Wiz Research found 550+ leaked secrets across 500+ VS Code extensions, including publisher tokens that let attackers push malicious updates to entire install bases.

Jul 10, 20266 min read
Supply Chain Security

Incident response playbook for a compromised dependency or CI action

23,000+ repos leaked secrets when tj-actions was hijacked in March 2025. Here's the revoke, rotate, and audit playbook for when it's your turn.

Jul 10, 20266 min read
supply-chain-security (Page 5) — Safeguard Blog