Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Supply Chain

SCA Security: What Software Composition Analysis Actually Catches

SCA security scans the open source dependencies that make up most of your codebase, finding known CVEs, risky licenses, and malicious packages. Here is what it catches — and what it does not.

May 27, 20257 min read
Supply Chain

What Is SBOM Security, and Why Does It Matter?

SBOM security is the practice of using a software bill of materials to actually find and act on risk in your dependencies, not just to produce a compliance document.

May 14, 20254 min read
Containers

Docker Image Scanning: How It Works and What It Finds

Scanners don't run your container — they unpack it. How docker image scanning inventories layers, matches CVEs, handles distro backports, and where it belongs in your pipeline.

Apr 29, 20256 min read
Vulnerabilities

npm Security Vulnerabilities: How to Track Them

A practical system for tracking npm security vulnerabilities across a real dependency tree, why you shouldn't rely on npm check vulnerabilities output alone, and what to automate.

Apr 25, 20255 min read
AppSec

What Is vm2? The Node.js Sandbox and Its Security History

vm2 was the most popular way to run untrusted JavaScript inside Node.js — until a string of sandbox-escape CVEs and its 2023 deprecation showed why sandboxing a dynamic language is so hard to get right.

Apr 14, 20256 min read
Supply Chain

SCA Code: What Composition Analysis Actually Reads in Your Repo

A concrete look at which files SCA tooling actually parses in a repository, how it builds a dependency tree, and why SCA is required even when your own code is clean.

Apr 2, 20255 min read
Supply Chain

npm Vulnerabilities: Detection, Triage, and Fix Workflow

Known CVEs and hostile packages are two different problems that share one dependency tree. A workflow for detecting npm vulnerabilities, triaging by reachability, and fixing without breaking your lockfile.

Mar 18, 20256 min read
Supply Chain

SBOM File Formats, Explained

An SBOM file is only useful if the tools reading it agree on its structure — here's what CycloneDX, SPDX, and SWID actually look like and when each one fits.

Mar 18, 20255 min read
Supply Chain

When to Fork an Abandoned Dependency

Forking looks like a one-time action but is really a multi-year maintenance commitment. Here is a decision framework for when a fork beats patching, vendoring, or replacing.

Mar 18, 20256 min read
Supply Chain

SBOM Example: Reading a Real CycloneDX and SPDX Document

One component, two formats: a field-by-field walkthrough of a real CycloneDX and SPDX SBOM — purls, licenses, hashes, dependency graphs, and how to validate your own.

Mar 18, 20256 min read
Industry Analysis

Software Supply Chain Security: An Executive Guide for 2025

Software supply chain attacks have surged 742% since 2019. This guide cuts through the noise to explain what executives need to know, what questions to ask, and where to invest.

Feb 25, 20255 min read
Containers

Container Image Vulnerability Scanning in CI

How to wire container image vulnerability scanning into your CI pipeline so builds fail on real risk instead of shipping unscanned images to production.

Feb 18, 20256 min read
supply-chain-security (Page 83) — Safeguard Blog