supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
757 articles
GUAC v1.0: Supply-Chain Graphs Reach Stable in June 2025
GUAC v1.0 shipped on June 12, 2025. We unpack the GraphQL API surface, the parsers for CSAF, OpenVEX, SPDX, CycloneDX, DSSE, and what stable means for production deployments.
Building an Open Source Risk Intelligence Platform: Beyond Vulnerability Scanning
Vulnerability scanning is one dimension of open source risk. A true risk intelligence platform must also evaluate maintainer health, project sustainability, licensing, and malicious package threats.
org.opencontainers.image.source: OCI Labels for Provenance
The org.opencontainers.image.source label ties a container image back to the repository that built it — a small string with outsized value for provenance, registry linking, and supply chain security.
AI SBOMs and Model Cards: Building Transparency Into the AI Supply Chain
As AI models become critical software components, the need for AI-specific SBOMs and model cards grows urgent. How the industry is extending supply chain transparency to machine learning pipelines.
Hitachi Vantara Akira Ransomware: When the Recovery Vendor Goes Down
Akira ransomware forced Hitachi Vantara to take its own servers offline on April 26, 2025. We trace the attack pattern and the implications when an enterprise data-recovery provider becomes the incident.
SLSA v1.1 Build Track: What Approved Means for Adopters
SLSA v1.1 was approved in April 2025 with the Build track stabilized. We dig into the spec changes, what L2 and L3 verifiers must reject, and how producers should re-evaluate provenance.
Audio Processing Library Vulnerabilities: The Sound of Exploitation
Audio libraries parse complex binary formats in C code. They share the same vulnerability patterns as image and video codecs, with less security scrutiny.
Oracle Cloud Classic SSO Incident: rose87168 and the Legacy Endpoint Problem
In March 2025 an actor calling themselves rose87168 advertised six million Oracle Cloud SSO and LDAP records, and Oracle quietly acknowledged a breach of legacy infrastructure. We unpack what happened and what tenants should do.
Rust Supply Chain: cargo-vet Expansion in 2025
Mozilla and Google expanded cargo-vet's shared audit pool to 14,000 crates in Q1 2025. Here's how to adopt it without drowning in imports.
copy-webpack-plugin and terser-webpack-plugin: Build Pipeline Hygiene
The copy-webpack-plugin npm package and terser-webpack-plugin sit in almost every webpack build. Here's how to configure both without leaking files or shipping stale minifiers.
webpack-bundle-analyzer: Find Bloat and Risky Dependencies in Your Bundle
webpack bundle analyzer turns your build output into a zoomable treemap. Used well, it finds not just bloat but duplicated packages, surprise transitive dependencies, and code you never meant to ship.
Bounty Program Scoping for Dependencies
How to scope a bug bounty program when most of your attack surface lives in third-party dependencies — with guidance on payouts, triage, and upstream coordination.