Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Manual license audits cannot keep pace with modern dependency trees. Automated license detection, policy enforcement, and compliance documentation turn a legal bottleneck into a developer workflow.
When a solo maintainer disappears, entire dependency chains are at risk. How organizations should approach succession planning for critical open source projects.
Vulnerability scanning is one dimension of open source risk. A true risk intelligence platform must also evaluate maintainer health, project sustainability, licensing, and malicious package threats.
An analysis of the state of open-source security in 2025. Critical infrastructure runs on projects maintained by small, often unpaid teams. Here is what the data shows and why it matters.
Codes of conduct are not just social documents. They affect maintainer retention, contributor diversity, and ultimately the security posture of the project.
Despite growing recognition that open source underpins critical infrastructure, security funding remains fragmented and insufficient. A look at the numbers and what needs to change.
CNCF, Linux Foundation, Apache, Eclipse — each has a different governance model. A practical evaluation of what that means for projects considering adoption.
OpenSSF Scorecard crossed 1M scanned repos in October 2024. We break down adoption, score drift, and which checks are actually predictive.
Labyrinth Chollima's operations show a specific pattern — poisoned open source packages as initial access. A profile of the tradecraft and the defensive response.
Weekly insights on software supply chain security, delivered to your inbox.