Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

757 articles

Frameworks

GUAC v1.0: Supply-Chain Graphs Reach Stable in June 2025

GUAC v1.0 shipped on June 12, 2025. We unpack the GraphQL API surface, the parsers for CSAF, OpenVEX, SPDX, CycloneDX, DSSE, and what stable means for production deployments.

Jun 25, 20255 min read
Open Source Security

Building an Open Source Risk Intelligence Platform: Beyond Vulnerability Scanning

Vulnerability scanning is one dimension of open source risk. A true risk intelligence platform must also evaluate maintainer health, project sustainability, licensing, and malicious package threats.

Jun 25, 20257 min read
Supply Chain

org.opencontainers.image.source: OCI Labels for Provenance

The org.opencontainers.image.source label ties a container image back to the repository that built it — a small string with outsized value for provenance, registry linking, and supply chain security.

Jun 11, 20257 min read
AI Security

AI SBOMs and Model Cards: Building Transparency Into the AI Supply Chain

As AI models become critical software components, the need for AI-specific SBOMs and model cards grows urgent. How the industry is extending supply chain transparency to machine learning pipelines.

Jun 10, 20259 min read
Incident Analysis

Hitachi Vantara Akira Ransomware: When the Recovery Vendor Goes Down

Akira ransomware forced Hitachi Vantara to take its own servers offline on April 26, 2025. We trace the attack pattern and the implications when an enterprise data-recovery provider becomes the incident.

May 8, 20257 min read
Frameworks

SLSA v1.1 Build Track: What Approved Means for Adopters

SLSA v1.1 was approved in April 2025 with the Build track stabilized. We dig into the spec changes, what L2 and L3 verifiers must reject, and how producers should re-evaluate provenance.

May 8, 20257 min read
Vulnerability Research

Audio Processing Library Vulnerabilities: The Sound of Exploitation

Audio libraries parse complex binary formats in C code. They share the same vulnerability patterns as image and video codecs, with less security scrutiny.

Apr 28, 20255 min read
Incident Analysis

Oracle Cloud Classic SSO Incident: rose87168 and the Legacy Endpoint Problem

In March 2025 an actor calling themselves rose87168 advertised six million Oracle Cloud SSO and LDAP records, and Oracle quietly acknowledged a breach of legacy infrastructure. We unpack what happened and what tenants should do.

Apr 22, 20257 min read
Open Source Security

Rust Supply Chain: cargo-vet Expansion in 2025

Mozilla and Google expanded cargo-vet's shared audit pool to 14,000 crates in Q1 2025. Here's how to adopt it without drowning in imports.

Apr 15, 20255 min read
Supply Chain

copy-webpack-plugin and terser-webpack-plugin: Build Pipeline Hygiene

The copy-webpack-plugin npm package and terser-webpack-plugin sit in almost every webpack build. Here's how to configure both without leaking files or shipping stale minifiers.

Apr 9, 20256 min read
Supply Chain

webpack-bundle-analyzer: Find Bloat and Risky Dependencies in Your Bundle

webpack bundle analyzer turns your build output into a zoomable treemap. Used well, it finds not just bloat but duplicated packages, surprise transitive dependencies, and code you never meant to ship.

Apr 9, 20257 min read
Best Practices

Bounty Program Scoping for Dependencies

How to scope a bug bounty program when most of your attack surface lives in third-party dependencies — with guidance on payouts, triage, and upstream coordination.

Apr 8, 20258 min read
supply-chain (Page 31) — Safeguard Blog