SBOM
In-depth guides and analysis on sbom from the Safeguard engineering team.
76 articles
Software Dependency Cooldown Policies
A dependency cooldown policy delays new package versions for a set window so the ecosystem can catch malicious releases before they reach your build pipeline.
From SBOMs to AI BOMs: SPDX 3.0 Explained
SPDX 3.0 adds a formal AI profile for documenting ML models and datasets. Here's what changed, how it compares to CycloneDX, and why it matters now.
Sonatype SBOM Manager Overview
A concrete look at Sonatype SBOM Manager — its origins, pricing model, VEX support, and common adoption gaps — for teams evaluating an SBOM manager tool.
Shadow Risks: Unmanaged and Unauthorized Dependencies
Shadow dependencies risk management is now core to SBOM strategy. See how unmanaged, unauthorized open source packages cause breaches Sonatype-style scans miss.
What Is SLSA (Supply-chain Levels for Software Artifacts)
SLSA verifies how software was built, not just what is inside it. Here is what the four build levels mean and how it differs from SBOM-only tooling.
SBOM standard formats compared (CycloneDX, SPDX, SWID)
CycloneDX, SPDX, and SWID solve different problems. Here's how the SBOM formats differ, and how Safeguard's multi-format generation compares to Mend.io's approach.
Best SBOM tools for automating bill-of-materials generation
A practical look at the best SBOM tools for 2026, comparing how Safeguard and Mend.io generate, format, and continuously update software bills of materials.
SBOM security: key components and top use cases
A practical breakdown of SBOM security components and top use cases—incident response, compliance, M&A—plus how Safeguard's approach differs from SCA-first tools like Mend.io.
Communicating security posture to customers/investors via...
How to turn SBOMs into a real vendor-risk communication tool for customers and investors, and where Mend.io's scan-first approach falls short.
Log4j-style incident response using SBOM inventories
How SBOM inventories turned days of Log4Shell triage into minutes-long queries — and why scanner-first tools like Mend.io struggled when every team needed answers at once.
SBOM for Containers: 2026 Buyer's Guide
How to generate, manage, and act on SBOMs for containers in 2026: tool comparison, layered SBOMs, signing, and runtime drift detection.
SBOM vs. VEX: What's the Difference and When Do You Need Each?
SBOMs tell you what is in your software. VEX tells you which of those components are actually exploitable. Here is how to use both without drowning in noise.