supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
757 articles
Docker Scanners: Comparing the Image-Scanning Options
A docker scanner has to check three separate layers — base OS packages, application dependencies, and the Dockerfile itself — and most tools are genuinely strong at only one or two.
The HIPAA Security Rule Update and Your Supply Chain
HHS's December 2024 NPRM rewrites the HIPAA Security Rule with explicit software supply chain, SBOM, and business associate controls set to take effect in 2025 and 2026.
CNCF Supply Chain Security Best Practices v2: What Changed
CNCF TAG Security shipped the v2 Supply Chain Security paper in 2025, mainstreaming SBOMs, signed attestations, and zero-trust workload identity. We walk through the practical guidance.
Salesloft Drift OAuth Breach: 700+ Salesforce Tenants Compromised
UNC6395 stole Salesloft Drift OAuth tokens to exfiltrate Salesforce data from more than 700 organisations including Cloudflare, Zscaler, and Palo Alto Networks in August 2025.
CNAPPs in 2025: What Cloud-Native Application Protection Platforms Actually Protect
CNAPP has become the dominant category in cloud security. But the label covers wildly different capabilities. A clear-eyed look at what CNAPPs do, where they fall short, and how supply chain security fits in.
jest-environment-jsdom: Setup, Gotchas, and Supply Chain Notes
Setting up npm jest-environment-jsdom correctly, why it stopped shipping with Jest, and what its jsdom dependency tree means for your test toolchain's security.
MCPoison (CVE-2025-54136): How Cursor's Trust Model Failed Open
Check Point Research showed Cursor bound trust to MCP entry names, not contents. A swap-after-approval gave attackers persistent RCE on engineers' laptops.
babel-jest: What It Does and How to Keep Your Test Toolchain Safe
babel-jest npm sits in almost every Jest install, quietly transforming your code before tests run. Here is what it does and why test toolchains deserve supply chain attention.
PyPI's aliyun-ai-labs Campaign: Three Packages, One Targeted Region
Three PyPI packages impersonating Alibaba's AI Labs SDK exfiltrated .gitconfig data from developer machines in a regionally targeted 2025 espionage campaign.
in-toto Graduates from CNCF: Attestation Bundles and the v1 Layer
in-toto reached CNCF graduation in April 2025 and shipped a major attestation framework release. We walk through the bundle layer, resource descriptors, and what producers should adopt.
UK Software Security Code of Practice: The 14 Principles
Launched at CyberUK 2025 on 7 May 2025, the UK's voluntary Software Security Code of Practice sets 14 principles across four thematic areas for vendors and customers.
zipp in Python: Why It Is in Your Dependency Tree
The python zipp package shows up in almost every Python environment without ever being asked for by name. Here is what it does, how it got there, and the one CVE against it.