Safeguard.sh
← Concepts & Glossary
Inventory & Provenance

Asset Discovery

Continuous inventory of every dependency, image, AI model, and MCP server across the estate.

What is asset discovery?

Asset discovery, in a software-supply-chain context, is the process of continuously finding and cataloguing everything your organisation ships or depends on — open-source packages, container images, AI/ML models, public APIs, MCP servers, internal libraries, and the services that host all of the above.

It is the unglamorous but foundational layer that everything else — vulnerability management, licensing, compliance, incident response — sits on top of. The old principle applies: you cannot secure what you do not know you have.

How it works

Modern asset discovery crosses the whole software stack, not just package manifests:

  1. Source-of-truth connectors. The platform connects to SCM (GitHub, GitLab, Bitbucket, Azure DevOps), container registries, cloud accounts, and artifact stores. Every repo, image, and artifact is fingerprinted.
  2. Multi-format inventory extraction. Each artifact is parsed into a structured SBOM, AI-BOM (for models and weights), API catalog entry, and/or MCP server registration depending on type. Relationships across these bills are preserved.
  3. Continuous reconciliation. New pushes, deployments, and configuration changes re-trigger discovery so the inventory reflects reality — not the state of things when the last manual audit ran.

Why it matters

Most organisations think they know what they ship. Then a Log4Shell-class incident hits and the actual exercise — "where are we running a vulnerable version of X?" — takes days, because the inventory was spreadsheets and tribal memory.

Continuous asset discovery turns that question into a single query. It is also the prerequisite for every regulator-facing artifact: SBOMs, VEX, attestation packs, third-party risk answers, and responses to EU CRA, US EO 14028, FDA 524B, and DORA obligations.

What value it adds

  • Incident response collapses from days to minutes

    When the next CVE-of-the-week hits, you answer "are we exposed?" in one query, not a week of repo-hunting.

  • Shadow components stop existing

    AI models, MCP servers, and unofficial internal libraries are just as discoverable as npm packages.

  • Regulatory artifacts generate themselves

    SBOMs, AI-BOMs, and attestations come from the same inventory that powers operational security.

  • M&A and supplier due diligence accelerate

    Instead of a 6-week code audit, you hand over a live inventory and let the buyer query it.

  • License and licence-risk posture becomes real-time

    A GPL library introduced by a transitive dependency is visible the moment it lands in a repo, not after the release ships.

How Safeguard uses it

Safeguard's discovery layer spans every surface an organisation ships: code repos, container registries, AI model stores, API gateways, and MCP server fleets — all unified into one queryable inventory. Every downstream capability (policy, reachability, compliance) reads from that single source of truth. See the full asset discovery use case for the end-to-end flow.

Asset Discovery →CycloneDX →SPDX →

See your full software estate — in one view.

Connect Safeguard to your SCM and registries. Watch an accurate, unified inventory appear in minutes.

Book a walkthroughBrowse all concepts