supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Reproducible Builds: Why Bother in 2026?
Reproducible builds used to feel academic. After a decade of supply chain attacks, they are the shortest path from an SBOM to a verifiable artifact. Here is the case.
RSA Conference 2026: Supply Chain Themes
RSA Conference 2026 centered on AI governance, software supply chain regulation, and vendor consolidation. Here is the analyst view of what mattered.
GitLab OIDC Token Theft: Workflow Research
GitLab CI OIDC tokens are becoming the keys to cloud kingdoms. Recent research shows how workflow misconfigurations leak them in surprising ways.
Fargate/ECS Container Supply Chain Pitfalls
The parts of container supply chain that break differently on AWS Fargate and ECS compared to Kubernetes, and what to do about each one in production.
LLM Jailbreak as a Supply Chain Risk in 2026
A jailbreak in a model you ship downstream is a supply chain incident, not a trivia item. Here is how to reason about it and where the defensive controls belong.
SBOM as a Product, Not a Checkbox
Most SBOMs are generated, filed, and forgotten. Treating them as compliance artifacts rather than operational products is why they have not paid off — and how to fix it.
ToxicSkills: When Claude Skills Become a Malware Distribution Channel
Snyk's ToxicSkills research found prompt injection in 36% of Claude skills tested and 1,467 malicious payloads. The SKILL.md trust model is the structural issue.
IBM Cloud Code Engine: A Supply Chain Defender's Walkthrough
Code Engine abstracts away Kubernetes for Knative-style serverless workloads on IBM Cloud. The supply chain story is different from what most defenders bring from AWS or GCP.
Inside PyPI Project Quarantine: How the Reversible Takedown Workflow Has Performed Since Launch
PyPI's Project Quarantine status, introduced in August 2024 and used roughly 140 times in its first year, replaces irreversible deletions with a reversible hidden state. Here is how the workflow operates and how to consume the signal.
FAQ: CycloneDX vs SPDX — Which to Use?
Practical answers to the most common CycloneDX vs SPDX questions: differences, tooling, regulatory preference, VEX support, and when to emit both.
Leaky Vessels: The runc Container Escape Class (2024)
Leaky Vessels bundled four CVEs that let container processes escape into the host. Two years later the class is still mispatched and misunderstood.
Dependabot Security Update Policies for 2026
A pragmatic guide to configuring Dependabot for security updates: which knobs matter, which defaults are wrong, and how to avoid drowning teams in PRs.