supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
BuildKit Build-Time Container Teardown Arbitrary File Del...
A malicious Dockerfile can exploit CVE-2024-23652 to make BuildKit delete arbitrary host files during build teardown. Here's what's affected and how to fix it.
The 2019 Docker Hub Database Breach Exposing User Credent...
In April 2019, Docker Hub exposed 190,000 accounts' credentials and GitHub/Bitbucket tokens. Here's what happened, what leaked, and why it still matters for supply chain security.
Cloud-native Go services vulnerability landscape
A runc escape trilogy, a gRPC-Go bypass, and a lingering SSH auth flaw reveal how concentrated risk in Go now shapes the cloud native vulnerability landscape.
Go standard library CVE trend report
A trend analysis of Go standard library CVEs from HTTP/2 Rapid Reset to crypto/x509 parsing bugs — and why "it's stdlib" is not a safe-harbor assumption.
Go module checksum database bypass risks
Go's GOSUMDB checksum verification is meant to be on by default, but Safeguard's research found roughly 1 in 6 CI pipelines quietly disable it.
Best secrets scanning tools for CI/CD pipelines
A practical, no-hype comparison of secrets scanning tools for CI/CD: what gitleaks, TruffleHog, and GitGuardian catch, and where each one falls short.
Docker Hub malicious image report
Researchers estimate roughly 3% of public Docker Hub images carry malicious payloads. Here's what's inside them, how they spread, and how to defend your pipeline.
Top vulnerable base images on Docker Hub
A look at why Docker Hub's most-pulled base images still ship hundreds of known CVEs, and how reachability analysis cuts the noise down to what's actually exploitable.
Best SLSA-compliant build systems
A fair comparison of SLSA compliant build systems—GitHub Actions, Cloud Build, GitLab, Tekton Chains—with real strengths and limitations for Build Level 3.
Cascading Failures in Multi-Agent AI Architectures
One compromised agent can poison an entire pipeline in seconds. Heres how cascading failures spread through multi-agent AI systems, and how to contain them.
Cryptomining malware hidden in public Docker images
Cryptomining malware keeps resurfacing in public Docker images. Here's how attackers hide miners in plain sight — and how to catch them before they run.
Insecure Inter-Agent Communication in Multi-Agent Systems
Multi-agent AI pipelines pass untrusted content between agents with no authentication or integrity checks. Here's how insecure inter-agent communication opens the door to injection attacks.