Compliance
In-depth guides and analysis on compliance from the Safeguard engineering team.
254 articles
Why a Customer Trust Center matters for vendor risk reviews
Vendor security reviews stall without a live trust center. See what appsec teams check, how Veracode approaches transparency, and how Safeguard's trust center speeds reviews.
What open source scans miss in M&A due diligence
Open source composition scans like Black Duck catch known packages and licenses — but M&A due diligence needs to catch what those scans miss too.
Open source license compliance and risk management
How to manage open source license risk beyond point-in-time scans: copyleft traps, MongoDB/Elastic relicensing, and why continuous checks beat Black Duck-style audits.
What is an Open Source Audit?
What is an open source audit, how does it compare to Black Duck's point-in-time scans, and why continuous monitoring closes the gap audits leave open.
What are Open Source Licenses?
Open source licenses govern how 96% of modern codebases can legally be used. Here's how license compliance works, where Black Duck's approach falls short, and how to close the gaps.
Sonatype Trust Center and Security Program Overview
Sonatype's trust center offers compliance snapshots on request. Safeguard compares that model to continuous, evidence-based supply chain verification.
ISO 27001 and NIST Framework Alignment for Supply Chain V...
How ISO 27001:2022 and NIST's SSDF, SP 800-161, and CSF 2.0 converge on software supply chain vendors—and where CVE-only scanning tools leave compliance gaps.
SOC 2 Type II vs ISO 27001: what each certification actua...
SOC 2 Type II and ISO 27001 certify different things to different audiences. Here's what each actually covers, and how to evaluate supply chain vendors like JFrog and Safeguard on it.
Anatomy of a trust center: what enterprise buyers should ...
A practical checklist for evaluating vendor trust centers—using JFrog as a reference point—covering SOC 2 scope, SBOM provenance, and disclosure SLAs enterprise buyers often miss.
Government access request policies: how vendors handle la...
How JFrog and other software supply chain vendors handle law-enforcement subpoenas, and what Safeguard commits to differently on SBOM and metadata requests.
FTC Safeguards Rule: Enforcement Heats Up in 2026
The FTC finalized 30-day breach notification in 2025 and pursued multi-million-dollar settlements through 2026. Non-bank financial institutions need to take the Rule seriously.
Open source license management tools: features and best p...
A practical comparison of open source license management tools, contrasting Safeguard and Mend.io on detection, policy enforcement, and SBOM depth.