supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
GitHub Actions workflow injection vulnerabilities
How GitHub Actions workflow injection lets attackers hijack CI pipelines via untrusted input, real CVEs like CVE-2025-30066, and how to detect it.
Jenkins plugin vulnerability trends report
Jenkins plugin CVEs keep piling up—missing permission checks, CSRF gaps, and a critical CVE-2024-23897 that attackers scanned for within days.
Unapproved Change Risk in the Software Supply Chain
How unreviewed code, dependency, and pipeline changes create supply chain breaches like SolarWinds and XZ Utils - and how to detect them before attackers do.
OpenTofu and Terraform provider supply chain risk
Terraform and OpenTofu providers run unsandboxed with full pipeline credentials. Here's where the provider supply chain actually breaks down.
Session Persistence Security Risks
CircleCI, Okta, Sourcegraph, and Codecov were all breached the same way: a session token outlived the trust that created it. Here's how session persistence becomes a supply chain risk.
Multi-Factor Authentication Bypass via Privilege Escalation
Attackers increasingly skip cracking MFA altogether — they escalate privileges around it. Real cases from Microsoft, Uber, and SolarWinds show how, and what actually stops it.
Personal Access Token Security Best Practices
Leaked personal access tokens have driven major supply chain breaches. Here's why PATs are risky, real incidents, and how scoping, rotation, and detection fix it.
Cleartext Sensitive Information in Cookies
Cleartext sensitive data in cookies (CWE-315) quietly enables account takeover and IDOR. Here's how it happens, why it survives review, and how Safeguard catches it.
Insecure Default Configurations in Applications and Frame...
Insecure default configurations caused the 2016 MongoDB ransom wave, the 2018 Tesla Kubernetes breach, and countless audit failures. Here's why defaults stay dangerous and how to fix it.
Containers Running in Privileged Mode: Risks and Fixes
Docker's --privileged flag strips seccomp, AppArmor, and capability limits in one line. Here's how attackers exploit it, real CVEs, and how to lock it down.
SQL Injection Prevention in Python with Parameterized Que...
SQL injection remains widespread in Python apps despite decades-old fixes. Here's how parameterized queries actually prevent it, and where ORMs still leave gaps.
SQL Injection Prevention in Ruby with exec_params Binding
Ruby's pg gem makes SQL injection preventable with one method change. Here's how exec_params binds parameters, why Rails CVEs keep recurring, and how to migrate safely.