Open Source Security
Go Module Checksum Database In Depth
The Go checksum database is one of the most successful supply chain controls in any mainstream ecosystem. Here is how it actually works and where it still has edges.
Feb 7, 20266 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
The Go checksum database is one of the most successful supply chain controls in any mainstream ecosystem. Here is how it actually works and where it still has edges.
crates.io has gained real supply chain features over the past two years. Here is an honest read on what works, what is still immature, and where to invest.
PyPI trusted publishing removed a whole class of token leaks, but teams keep tripping over the same half-dozen configuration mistakes. Here is what to watch for.
A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.
Two and a half years after npm provenance launched, adoption is climbing but uneven. Here is the late-2025 picture across the top packages and frameworks.
Analysis of CVE data across Rust crates and std releases, measuring how memory safety affects vulnerability shape, density, and unsafe-block concentration.
Vulnerability scanning is one dimension of open source risk. A true risk intelligence platform must also evaluate maintainer health, project sustainability, licensing, and malicious package threats.
Mozilla and Google expanded cargo-vet's shared audit pool to 14,000 crates in Q1 2025. Here's how to adopt it without drowning in imports.
PEP 740 brings Sigstore-style attestations to PyPI. A close read of the roadmap, what's actually shipped, and what it means for consumers and publishers over the next 12 months.
Weekly insights on software supply chain security, delivered to your inbox.