Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

757 articles

Containers

Docker Scanners: Comparing the Image-Scanning Options

A docker scanner has to check three separate layers — base OS packages, application dependencies, and the Dockerfile itself — and most tools are genuinely strong at only one or two.

Sep 17, 20255 min read
Regulatory Compliance

The HIPAA Security Rule Update and Your Supply Chain

HHS's December 2024 NPRM rewrites the HIPAA Security Rule with explicit software supply chain, SBOM, and business associate controls set to take effect in 2025 and 2026.

Sep 15, 20255 min read
Industry

CNCF Supply Chain Security Best Practices v2: What Changed

CNCF TAG Security shipped the v2 Supply Chain Security paper in 2025, mainstreaming SBOMs, signed attestations, and zero-trust workload identity. We walk through the practical guidance.

Sep 9, 20257 min read
Incident Analysis

Salesloft Drift OAuth Breach: 700+ Salesforce Tenants Compromised

UNC6395 stole Salesloft Drift OAuth tokens to exfiltrate Salesforce data from more than 700 organisations including Cloudflare, Zscaler, and Palo Alto Networks in August 2025.

Sep 8, 20256 min read
Cloud Security

CNAPPs in 2025: What Cloud-Native Application Protection Platforms Actually Protect

CNAPP has become the dominant category in cloud security. But the label covers wildly different capabilities. A clear-eyed look at what CNAPPs do, where they fall short, and how supply chain security fits in.

Sep 5, 20257 min read
Open Source

jest-environment-jsdom: Setup, Gotchas, and Supply Chain Notes

Setting up npm jest-environment-jsdom correctly, why it stopped shipping with Jest, and what its jsdom dependency tree means for your test toolchain's security.

Aug 21, 20256 min read
Agent Security

MCPoison (CVE-2025-54136): How Cursor's Trust Model Failed Open

Check Point Research showed Cursor bound trust to MCP entry names, not contents. A swap-after-approval gave attackers persistent RCE on engineers' laptops.

Aug 12, 20256 min read
Open Source

babel-jest: What It Does and How to Keep Your Test Toolchain Safe

babel-jest npm sits in almost every Jest install, quietly transforming your code before tests run. Here is what it does and why test toolchains deserve supply chain attention.

Jul 29, 20256 min read
Open Source Security

PyPI's aliyun-ai-labs Campaign: Three Packages, One Targeted Region

Three PyPI packages impersonating Alibaba's AI Labs SDK exfiltrated .gitconfig data from developer machines in a regionally targeted 2025 espionage campaign.

Jul 21, 20256 min read
Industry

in-toto Graduates from CNCF: Attestation Bundles and the v1 Layer

in-toto reached CNCF graduation in April 2025 and shipped a major attestation framework release. We walk through the bundle layer, resource descriptors, and what producers should adopt.

Jul 15, 20257 min read
Policy

UK Software Security Code of Practice: The 14 Principles

Launched at CyberUK 2025 on 7 May 2025, the UK's voluntary Software Security Code of Practice sets 14 principles across four thematic areas for vendors and customers.

Jul 8, 20256 min read
Open Source

zipp in Python: Why It Is in Your Dependency Tree

The python zipp package shows up in almost every Python environment without ever being asked for by name. Here is what it does, how it got there, and the one CVE against it.

Jul 2, 20257 min read
supply-chain (Page 30) — Safeguard Blog