SBOM & Compliance
In-depth guides and analysis on sbom & compliance from the Safeguard engineering team.
41 articles
What is a Software Bill of Materials workflow (SPDX/SBOM)...
A practical breakdown of SPDX-based SBOM compliance workflows — NTIA rules, EU CRA and FDA deadlines, where Black Duck falls short, and how continuous SBOM generation closes the gap.
SOC 2 and AppSec Vendors: What to Verify Before You Buy
SOC 2 badges look identical from the outside. Here is what to actually check on audit scope, report type, and transparency before choosing an AppSec vendor.
SBOM and Compliance: Generating and Exporting Software Bi...
Regulators now require SBOMs from federal vendors, medical device makers, and soon every EU digital product. Here's how SBOM generation tools actually compare on accuracy, format, and export.
Open Source License Compliance: Automating License Risk R...
Manual license audits miss GPL contamination and copyleft traps. Here's how automated license risk reports work, and how Safeguard stacks up against Endor Labs.
Cyber Resilience Act (CRA) Compliance for Software Vendors
CRA reporting duties start Sept 2026; fines reach 2.5% of global turnover. What software vendors must do for SBOMs, vulnerability reporting, and audits.
FedRAMP for AppSec Tools: What It Means for Government So...
FedRAMP 20x now demands machine-readable SBOM and vulnerability evidence, not static reports. Here's what changed, what it costs, and where Endor Labs stands.
PCI DSS Requirements for Application Security Testing
PCI DSS 4.0's March 2025 deadline made SBOMs and 30-day patch SLAs mandatory. Here's what Requirements 6.3.2, 6.4.2, and 11.3 actually demand, and where Endor Labs leaves compliance gaps.
Building A Defensible SBOM Program In 90 Days
A pragmatic 90-day blueprint for standing up an SBOM program that survives auditor scrutiny, procurement reviews, and incident response without burning out your platform team.
AI-BOM Explained: Tracking Models As Supply Chain
AI models are now first-class supply chain components. Here is how an AI-BOM captures lineage, datasets, runtimes, and evaluations in a way that survives audit.
CycloneDX 1.7 New Features Reviewed
CycloneDX 1.7 brings richer ML-BOM, better attestations, and VEX tightening. A practical review of what changed and what it means for your SBOM pipeline.
SBOM-Driven Vendor Onboarding: Procurement Blueprint
Procurement that asks for a PDF security questionnaire is buying paperwork. SBOM-driven onboarding turns vendor risk into queryable, comparable, and enforceable data.
CycloneDX vs SPDX: Which Format For Your Program
A senior-engineer comparison of CycloneDX and SPDX in 2026, covering field coverage, tooling, AI-BOM support, VEX, and the practical trade-offs for your programme.