supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Managing Transitive Dependencies: The Vulnerabilities You Didn't Choose
Most dependency risk lives in packages you never installed directly. Here is how transitive dependencies work across ecosystems and how to audit and control them.
Rust Supply Chain Security: build.rs, Typosquatting, and Auditing crates.io
Rust's borrow checker guarantees memory safety in your code — and nothing about the crates you pull in. A cargo build runs arbitrary code at compile time, before any safe code executes.
Socket.dev Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the leading Socket.dev alternatives in 2026 — Snyk, Endor Labs, Mend, Aikido, Sonatype, and Safeguard — with candid pros, cons, and a framework for choosing.
Integrating AI Tools Without Expanding Your Attack Surface
Stanford researchers found developers using AI coding assistants wrote more security bugs — and felt more confident in them. Here's how to adopt AI safely.
AI-assisted vulnerability remediation patterns: what to verify before you merge
GitHub reports its Copilot Autofix suggestions resolve two-thirds of flagged vulnerabilities with little or no editing — but the other third is where merges go wrong.
The supply-chain and IP risk hiding inside AI coding assistants
GitHub has disclosed that Copilot suggestions match training-set code verbatim about 1% of the time — and a class action over it is still being argued in 2026.
The Security Pitfalls Hiding in AI-Generated Code
A 2021 NYU study found roughly 40% of Copilot completions on security-relevant prompts contained exploitable flaws. Here's a field guide to catching them.
AI Developer Tools: Weighing Productivity Against Security and IP Exposure
NYU found 40% of Copilot-generated code contained exploitable flaws; Samsung banned ChatGPT after three leaks in under 20 days. The productivity math still isn't simple.
The AppSec Program Spring-Cleaning Checklist
The xz-utils backdoor sat in a maintainer's commits for over two years before a Postgres developer's slow SSH login exposed it in March 2024. Most AppSec programs never audit for that kind of drift.
Automating container image vulnerability scans in GitHub Actions
A fail-the-build scanning pipeline is a few YAML lines away — but pin the Action wrong and you inherit its supply chain risk too.
Automating Security Controls on Google Cloud
Binary Authorization can block every unsigned container from reaching GKE or Cloud Run — but only if your pipeline is wired to sign images the moment they pass scanning.
How to publish a secure Python package: signing, SBOMs, and trusted publishing
PyPI enforced two-factor authentication for all users on January 1, 2024 — but 2FA alone doesn't stop a stolen API token. Here's the full secure-publishing stack.