supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
SCA Security: What Software Composition Analysis Actually Catches
SCA security scans the open source dependencies that make up most of your codebase, finding known CVEs, risky licenses, and malicious packages. Here is what it catches — and what it does not.
What Is SBOM Security, and Why Does It Matter?
SBOM security is the practice of using a software bill of materials to actually find and act on risk in your dependencies, not just to produce a compliance document.
Docker Image Scanning: How It Works and What It Finds
Scanners don't run your container — they unpack it. How docker image scanning inventories layers, matches CVEs, handles distro backports, and where it belongs in your pipeline.
npm Security Vulnerabilities: How to Track Them
A practical system for tracking npm security vulnerabilities across a real dependency tree, why you shouldn't rely on npm check vulnerabilities output alone, and what to automate.
What Is vm2? The Node.js Sandbox and Its Security History
vm2 was the most popular way to run untrusted JavaScript inside Node.js — until a string of sandbox-escape CVEs and its 2023 deprecation showed why sandboxing a dynamic language is so hard to get right.
SCA Code: What Composition Analysis Actually Reads in Your Repo
A concrete look at which files SCA tooling actually parses in a repository, how it builds a dependency tree, and why SCA is required even when your own code is clean.
npm Vulnerabilities: Detection, Triage, and Fix Workflow
Known CVEs and hostile packages are two different problems that share one dependency tree. A workflow for detecting npm vulnerabilities, triaging by reachability, and fixing without breaking your lockfile.
SBOM File Formats, Explained
An SBOM file is only useful if the tools reading it agree on its structure — here's what CycloneDX, SPDX, and SWID actually look like and when each one fits.
When to Fork an Abandoned Dependency
Forking looks like a one-time action but is really a multi-year maintenance commitment. Here is a decision framework for when a fork beats patching, vendoring, or replacing.
SBOM Example: Reading a Real CycloneDX and SPDX Document
One component, two formats: a field-by-field walkthrough of a real CycloneDX and SPDX SBOM — purls, licenses, hashes, dependency graphs, and how to validate your own.
Software Supply Chain Security: An Executive Guide for 2025
Software supply chain attacks have surged 742% since 2019. This guide cuts through the noise to explain what executives need to know, what questions to ask, and where to invest.
Container Image Vulnerability Scanning in CI
How to wire container image vulnerability scanning into your CI pipeline so builds fail on real risk instead of shipping unscanned images to production.