Safeguard
Topic

SBOM

In-depth guides and analysis on sbom from the Safeguard engineering team.

76 articles

SBOM

Software Dependency Cooldown Policies

A dependency cooldown policy delays new package versions for a set window so the ecosystem can catch malicious releases before they reach your build pipeline.

Jun 6, 20267 min read
SBOM

From SBOMs to AI BOMs: SPDX 3.0 Explained

SPDX 3.0 adds a formal AI profile for documenting ML models and datasets. Here's what changed, how it compares to CycloneDX, and why it matters now.

Jun 6, 20268 min read
SBOM

Sonatype SBOM Manager Overview

A concrete look at Sonatype SBOM Manager — its origins, pricing model, VEX support, and common adoption gaps — for teams evaluating an SBOM manager tool.

Jun 5, 20266 min read
SBOM

Shadow Risks: Unmanaged and Unauthorized Dependencies

Shadow dependencies risk management is now core to SBOM strategy. See how unmanaged, unauthorized open source packages cause breaches Sonatype-style scans miss.

Jun 4, 20268 min read
SBOM

What Is SLSA (Supply-chain Levels for Software Artifacts)

SLSA verifies how software was built, not just what is inside it. Here is what the four build levels mean and how it differs from SBOM-only tooling.

Jun 2, 20268 min read
SBOM

SBOM standard formats compared (CycloneDX, SPDX, SWID)

CycloneDX, SPDX, and SWID solve different problems. Here's how the SBOM formats differ, and how Safeguard's multi-format generation compares to Mend.io's approach.

May 27, 20268 min read
SBOM

Best SBOM tools for automating bill-of-materials generation

A practical look at the best SBOM tools for 2026, comparing how Safeguard and Mend.io generate, format, and continuously update software bills of materials.

May 26, 20267 min read
SBOM

SBOM security: key components and top use cases

A practical breakdown of SBOM security components and top use cases—incident response, compliance, M&A—plus how Safeguard's approach differs from SCA-first tools like Mend.io.

May 23, 20268 min read
SBOM

Communicating security posture to customers/investors via...

How to turn SBOMs into a real vendor-risk communication tool for customers and investors, and where Mend.io's scan-first approach falls short.

May 23, 20267 min read
SBOM

Log4j-style incident response using SBOM inventories

How SBOM inventories turned days of Log4Shell triage into minutes-long queries — and why scanner-first tools like Mend.io struggled when every team needed answers at once.

May 22, 20268 min read
SBOM

SBOM for Containers: 2026 Buyer's Guide

How to generate, manage, and act on SBOMs for containers in 2026: tool comparison, layered SBOMs, signing, and runtime drift detection.

Apr 19, 20265 min read
SBOM

SBOM vs. VEX: What's the Difference and When Do You Need Each?

SBOMs tell you what is in your software. VEX tells you which of those components are actually exploitable. Here is how to use both without drowning in noise.

Apr 15, 20268 min read
SBOM — Supply Chain Security Blog | Safeguard