supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
How Snyk's AI-SPM approach extends ASPM concepts to AI sy...
How Snyk's Evo AI-SPM extends ASPM's discover-assess-enforce loop to models, datasets, and agents, based on its March 2026 GA launch and public documentation.
How Snyk's JetBrains plugin family supports IntelliJ, PyC...
A mechanical look at how Snyk ships one JetBrains plugin across IntelliJ, PyCharm, WebStorm, GoLand, and Rider using a shared platform and backend scan engine.
How Snyk's GitHub Actions integration scans pull requests...
A mechanical breakdown of how Snyk's GitHub Actions integration scans pull requests: triggers, SARIF uploads, severity thresholds, and what the checks can't see.
How the Snyk CLI's --all-projects flag discovers manifest...
A technical look at how Snyk CLI's --all-projects flag walks a repository, matches manifest files, and where directory-depth limits can leave dependencies unscanned.
How the Snyk CLI's exit codes are structured for CI/CD fa...
A mechanical look at how the Snyk CLI's 0/1/2/3 exit codes work, how --severity-threshold and --fail-on change them, and how to branch on them correctly in CI/CD.
Why 'Time to Fix' Is a Better Supply Chain Metric Than Vu...
Vulnerability counts measure how hard you're looking, not how exposed you are. Here's why mean time to remediate is the metric that actually predicts breach risk.
Monorepo vs Polyrepo: How Architecture Choices Shape Supp...
Monorepos and polyrepos don't just shape build times — they shape blast radius, patch speed, and dependency visibility. Here's how each affects supply chain risk.
How Package Manager Design Choices Influence Supply Chain...
npm, PyPI, RubyGems, Go, and Cargo each made different design bets on install scripts, namespacing, and signing — and those bets directly shape supply chain attack surface.
Why Vulnerability Disclosure Timelines Still Vary Wildly ...
Google gives vendors 90 days, ZDI gives 120, the EU wants 24 hours, and Linux had no CVE process until 2024. Here's why disclosure timelines diverge so sharply across ecosystems.
From Log4Shell to Now: What Changed and What Didn't in Su...
Three years after Log4Shell, Log4j is still found in production systems. Here is what the industry fixed, what it didn't, and why the risk persists.
The Hidden Risk of Copy-Pasted Code Snippets from Forums ...
Copy-pasted code from Stack Overflow and AI chats often ships with hidden vulnerabilities. Here's the data behind the risk, real breaches it caused, and how to catch it.
Why Scanning AI-Generated Code Requires Different Heurist...
AI coding assistants write fast but fail differently than humans do. Learn why scanning AI-generated code needs new heuristics for hallucinated dependencies.