How a Security Team use Policy as Code for Open Source Security

Announcements

SafeDep Team

• Oct 22, 2024 • 1 min read

SBOM is being mandated in certain regulated industries, especially for tracking open source dependencies. However the usefulness of SBOM, which is basically an inventory, is the tooling and use-cases around it. Conventional SCA tools are notorious for false positives and noise. Ability to prevent insecure or risky open source components proactively is required to maintain a healthy and trustworthy open source software supply chain. In this talk, we look at how to use vet for establishing security guardrails against risky OSS components. We also look at a case study of how a security team leverage vet's policy as code feature for enforcing opinionated security policies.

vet
sbom
sql
cloud

Author

SafeDep Team

safedep.io

The Latest from SafeDep blogs

Follow for the latest updates and insights on open source security & engineering

Malware

Miasma Worm Infects Multiple LeoPlatform npm Packages

A Miasma worm variant compromised a single maintainer account and used it to publish infected versions of 20 LeoPlatform npm packages within a 3-second window. The worm also pushed weaponized GitHub...

Malware

MYRA: A Full Linux RAT Distributed via npm

The npm package apintergrationpost is a red team RAT called MYRA with native C rootkit, triple persistence, fileless execution, live screen streaming, and process masquerade. This analysis documents...

Malware

The wshu.net npm Campaign Delivers a Multi-Stage Infostealer

One actor seeded 15 npm packages across 13 throwaway scopes in a single morning, each shipping a ~270KB obfuscated downloader behind a postinstall hook. The downloader pulls a Rust infostealer from...

Malware

@withgoogle/stitch-sdk: Scope Squat Harvests Developer Credentials

A malicious npm package squats the @withgoogle scope to impersonate Google Stitch, silently harvesting credentials from Claude Code, git, GitHub CLI, SSH keys, npm, and Docker on install.