supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Maven Enforcer Plugin Security Rules
Maven Enforcer is a blunt instrument most teams underuse. Here is how to turn it into a supply chain guardrail that blocks bad versions, bad repositories, and bad dependency graphs before they ship.
Dependency Firewalls: Concept, Architecture, and Implementation
A dependency firewall sits between your build system and public registries, filtering packages based on security policies. Here is how to design and implement one.
Defense Industrial Base Supply Chain and CMMC
How the Defense Industrial Base is adapting its software supply chain to CMMC 2.0, NIST SP 800-171, and DFARS flow-down obligations.
Wolfi OS: The Linux Distribution Built for Secure Containers
Wolfi is not a general-purpose Linux distro. It exists to solve one problem: provide secure, minimal, up-to-date packages for container images. Here is why that matters and how to use it.
npm Lifecycle Scripts: The Hidden Attack Surface in Your Node.js Supply Chain
npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest and least-understood attack surfaces in modern software development.
Rust Build Scripts: A Supply Chain Risk Profile
Why build.rs is the highest-leverage attack surface in the Rust ecosystem, with concrete examples from 2023 and 2024 incidents.
AWS Lambda Layers: Supply Chain Risks
Lambda layers feel like a convenience but they are a supply chain attack surface that most teams do not treat as code. Here is how they get abused and what to do about it.
Okta 2022-2023 Incidents: Supply Chain Lessons
A retrospective on Okta's string of security incidents from 2022 through 2023 and what they teach us about identity providers as critical supply chain dependencies.
Single-Maintainer Bus Factor Risk in OSS
A single person maintaining critical infrastructure is one medical emergency, burnout, or coercion event away from a supply chain crisis. The bus factor is not a theoretical metric.
Node.js Permission Model: Restricting What Your Code Can Do
Node.js finally has an experimental permission model. It is a significant step toward containing supply chain attacks, but it has important limitations.
Vault Supply Chain Integration Patterns
HashiCorp Vault is a Swiss Army knife for secrets, but most teams use it as a glorified key-value store. A walkthrough of the integration patterns that make Vault actually useful in a CI/CD supply chain.
Azure Functions Supply Chain Security
Azure Functions hide a surprising amount of supply chain risk — Oryx builds, run-from-package, extension bundles, and the way deployment slots interact with identity.