supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Heroku OAuth Token Leak Postmortem and Lessons
A retrospective on the Heroku OAuth token incident, what the public timeline revealed about supply chain trust assumptions, and the durable lessons for platform teams.
AI-Generated Dockerfile Vulnerability Patterns
LLM-generated Dockerfiles repeat the same six or seven mistakes. Here is the pattern catalog and how to catch them before they ship.
npm Slopsquat: The Hallucinated Package Risk in 2026
Slopsquatting is the practice of registering package names that LLMs hallucinate, turning AI coding assistants into an accidental distribution channel.
FAQ: How Much Does Supply Chain Security Cost?
Real numbers for supply chain security in 2026 — tool spend, headcount, hidden costs, SMB vs enterprise ranges, and where teams over- and under-invest.
KubeCon NA 2025: Supply Chain Security Themes
KubeCon + CloudNativeCon NA 2025 put supply chain security at the center of the cloud-native conversation. Here is what mattered for platform teams.
K8s RBAC Blast Radius in Supply Chain Attacks
How Kubernetes RBAC determines what a supply chain attack can actually do once a compromised workload runs, and the RBAC patterns that meaningfully reduce blast radius.
AI Models in Your Supply Chain: The Security Risks Nobody Talks About
AI/ML models are the new open source libraries. Here's why your supply chain security strategy needs to account for model provenance, poisoning, and compliance.
Safeguard Gold Expands to 6,000+ Artifacts
The Gold Registry crossed 6,000 curated zero-CVE packages and images across ten ecosystems in February 2026 — and is now at 500K+. Here is what was in the original milestone, how it is built, and how to use it.
Renovate Bot Configuration Recipes for 2026
Renovate is the more powerful dependency-update bot, and its config surface is large. Here are the recipes worth knowing and the defaults worth overriding.
AI Code Assistant Package Hallucination Study
The Safeguard Research team measured how often AI coding assistants hallucinate non-existent packages, how sticky those hallucinations are, and what defenders should do.
Healthcare Supply Chain Security Baseline for 2026
What hospitals and payers should actually require from their software vendors in 2026: HIPAA-aligned controls, SBOM expectations, and the threats now hitting clinical environments.
Maven Central Malicious Publishing Trends 2025
Maven Central has historically been the quietest major registry for malware, but 2025 saw a measurable uptick in malicious artifacts and namespace abuse.