Open-source software (OSS) has become increasingly popular in software development to simplify and shorten the developing cycle. Unfortunately, the reuse of OSS also brings security risks that OSS vulnerabilities could be excessively amplified. Therefore, identifying, managing, remediating, and governing the potential risks throughout the OSS supply chain is promptly required to be further investigated.  we will discuss the rigorous situation of the vulnerable software supply chain, as well as the challenges we are facing to secure the OSS environment. We will also show our recent efforts and solutions in securing the OSS supply chain, including our techniques on software component analysis (SCA), OSS supply chain analysis, license-related risk management, artificial intelligence-based security vulnerability analysis, and our larger scope of governing OSS with health profiles for both open-source software, as well as corresponding development teams. We also highlight the potential opportunities of OSS security and call for research in this direction.