Safeguard
Topic

SBOM & Compliance

In-depth guides and analysis on sbom & compliance from the Safeguard engineering team.

41 articles

SBOM & Compliance

What is a Software Bill of Materials workflow (SPDX/SBOM)...

A practical breakdown of SPDX-based SBOM compliance workflows — NTIA rules, EU CRA and FDA deadlines, where Black Duck falls short, and how continuous SBOM generation closes the gap.

Jun 13, 20268 min read
SBOM & Compliance

SOC 2 and AppSec Vendors: What to Verify Before You Buy

SOC 2 badges look identical from the outside. Here is what to actually check on audit scope, report type, and transparency before choosing an AppSec vendor.

May 20, 20268 min read
SBOM & Compliance

SBOM and Compliance: Generating and Exporting Software Bi...

Regulators now require SBOMs from federal vendors, medical device makers, and soon every EU digital product. Here's how SBOM generation tools actually compare on accuracy, format, and export.

May 15, 20267 min read
SBOM & Compliance

Open Source License Compliance: Automating License Risk R...

Manual license audits miss GPL contamination and copyleft traps. Here's how automated license risk reports work, and how Safeguard stacks up against Endor Labs.

May 15, 20267 min read
SBOM & Compliance

Cyber Resilience Act (CRA) Compliance for Software Vendors

CRA reporting duties start Sept 2026; fines reach 2.5% of global turnover. What software vendors must do for SBOMs, vulnerability reporting, and audits.

May 15, 20268 min read
SBOM & Compliance

FedRAMP for AppSec Tools: What It Means for Government So...

FedRAMP 20x now demands machine-readable SBOM and vulnerability evidence, not static reports. Here's what changed, what it costs, and where Endor Labs stands.

May 15, 20267 min read
SBOM & Compliance

PCI DSS Requirements for Application Security Testing

PCI DSS 4.0's March 2025 deadline made SBOMs and 30-day patch SLAs mandatory. Here's what Requirements 6.3.2, 6.4.2, and 11.3 actually demand, and where Endor Labs leaves compliance gaps.

May 14, 20267 min read
SBOM & Compliance

Building A Defensible SBOM Program In 90 Days

A pragmatic 90-day blueprint for standing up an SBOM program that survives auditor scrutiny, procurement reviews, and incident response without burning out your platform team.

Apr 11, 20266 min read
SBOM & Compliance

AI-BOM Explained: Tracking Models As Supply Chain

AI models are now first-class supply chain components. Here is how an AI-BOM captures lineage, datasets, runtimes, and evaluations in a way that survives audit.

Apr 7, 20267 min read
SBOM & Compliance

CycloneDX 1.7 New Features Reviewed

CycloneDX 1.7 brings richer ML-BOM, better attestations, and VEX tightening. A practical review of what changed and what it means for your SBOM pipeline.

Apr 5, 20266 min read
SBOM & Compliance

SBOM-Driven Vendor Onboarding: Procurement Blueprint

Procurement that asks for a PDF security questionnaire is buying paperwork. SBOM-driven onboarding turns vendor risk into queryable, comparable, and enforceable data.

Apr 3, 20266 min read
SBOM & Compliance

CycloneDX vs SPDX: Which Format For Your Program

A senior-engineer comparison of CycloneDX and SPDX in 2026, covering field coverage, tooling, AI-BOM support, VEX, and the practical trade-offs for your programme.

Mar 29, 20266 min read
SBOM & Compliance — Supply Chain Security Blog | Safeguard