Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
GraalVM native images change the supply chain story in ways that most SBOM tooling has not caught up with yet. Here is what gets baked in, what gets stripped out, and what still needs to be tracked.
Maven plugins execute during your build with full JVM access. Here is how to verify they are legitimate and have not been tampered with.
Spring Boot's dependency management is the unsung hero of the Java ecosystem, and it is also a supply chain seam worth understanding. Here is how BOMs, starters, and transitive version coercion shape what actually ships.
Maven Enforcer is a blunt instrument most teams underuse. Here is how to turn it into a supply chain guardrail that blocks bad versions, bad repositories, and bad dependency graphs before they ship.
Gradle plugins execute during your build with full access to your environment. Most teams never audit them. Here is why that is dangerous.
The Java Platform Module System promised stronger encapsulation and security boundaries. Here is what it actually delivers and where the gaps remain.
SpotBugs with Find Security Bugs is the most effective free security analysis tool for Java. Here is how to get real results from it.
Maven plugins execute during your build with full system access. Verifying them is harder than verifying runtime dependencies, and most teams skip it.
Maven's dependency resolution mechanism can be exploited through repository poisoning, dependency confusion, and POM manipulation. Here is what Java teams need to know.
Weekly insights on software supply chain security, delivered to your inbox.