Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
The latest release of OpenSSF Scorecard introduces new checks and improved accuracy, helping organizations make data-driven decisions about open source dependency risk.
npm's updated unpublish policy addresses the left-pad problem while balancing maintainer rights, but the supply chain implications go deeper than most realize.
Google expanded its OSS vulnerability rewards program in 2023, paying researchers to find bugs in critical open source projects. It's a promising model, but not a silver bullet.
A thorough review of Anchore's Syft SBOM generation tool, covering supported formats, language ecosystems, container scanning, and integration patterns.
A review of FOSSA for open source license compliance and vulnerability management, covering license detection, policy automation, and enterprise integration patterns.
5G networks are software-defined infrastructure built on open-source components. The supply chain implications are enormous and under-discussed.
A practical template for crafting an enterprise open-source usage policy that balances developer freedom with security and compliance requirements.
A review of Tern, the open source tool that generates SBOMs by inspecting container image layers, including its strengths, limitations, and where it fits in your toolchain.
A practical comparison of Trivy and Grype for vulnerability scanning, covering detection accuracy, performance, SBOM support, and real-world usage patterns.
Weekly insights on software supply chain security, delivered to your inbox.