Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Attackers compromised the popular tj-actions/changed-files GitHub Action, injecting credential-stealing code that affected over 23,000 repositories. A textbook software supply chain attack.
FedRAMP 20x demands real-time ConMon. Here's how to automate monthly POA&M, vulnerability deviation, and SBOM attestation without a 20-person team.
Apple patched CVE-2025-24201, a WebKit zero-day that allowed sandbox escape through malicious web content. Here's the technical breakdown.
PEP 740 brings Sigstore-style attestations to PyPI. A close read of the roadmap, what's actually shipped, and what it means for consumers and publishers over the next 12 months.
AI agents that call tools -- APIs, databases, file systems, code interpreters -- convert non-deterministic LLM output into real-world actions. Securing this boundary is the defining challenge of agentic AI.
An analysis of the state of open-source security in 2025. Critical infrastructure runs on projects maintained by small, often unpaid teams. Here is what the data shows and why it matters.
Video codecs are some of the most complex code in your dependency tree. Their complexity and privileged execution make them prime supply chain targets.
AI agents that can execute code, browse the web, and manage infrastructure are proliferating. The security implications of these autonomous frameworks demand scrutiny.
Defend against Go module substitution attacks with GOPROXY, GOSUMDB, vendor verification, and checksum database monitoring — complete with working examples.
Weekly insights on software supply chain security, delivered to your inbox.