Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A dependency firewall sits between your build system and public registries, filtering packages based on security policies. Here is how to design and implement one.
Abandoned packages are ticking time bombs in the supply chain. When maintainers disappear, attackers can take over package names and push malicious updates to millions of downstream projects.
Security audits of the Rust crate ecosystem reveal patterns of unsafe code, build script risks, and supply chain vulnerabilities. Here is what the data shows.
Dependency confusion exploits the gap between public and private package registries. Despite widespread awareness, organizations keep falling for it.
Adopting an open source dependency is a trust decision. This guide provides a structured methodology for evaluating the security posture of open source projects before adding them to your supply chain.
Ansible Galaxy roles and collections execute with root privileges on your infrastructure. Most teams apply zero security scrutiny to them.
Gradle plugins execute during your build with full access to your environment. Most teams never audit them. Here is why that is dangerous.
Every package ecosystem handles install-time code execution differently. Some are permissive, some restrictive, and the differences matter for supply chain security.
Dependency hijacking encompasses multiple attack techniques that redirect dependency resolution to attacker-controlled packages. This guide covers all major hijacking vectors and their countermeasures.
Weekly insights on software supply chain security, delivered to your inbox.