Safeguard
Topic

SBOM & Compliance

In-depth guides and analysis on sbom & compliance from the Safeguard engineering team.

41 articles

SBOM & Compliance

Java SBOM Generation Tools Compared

Six tools generate SBOMs from Java projects. They disagree on transitive depth, license fields, and licensing of their own output. A head-to-head.

Dec 5, 20245 min read
SBOM & Compliance

Provenance Attestation Consumer Workflow

Generating provenance is half the story. Consuming it correctly, at the right points in the pipeline, is where the security value actually materialises.

Nov 20, 20247 min read
SBOM & Compliance

SBOM Quality Benchmarking: What We Found in 2024

We scored 1,200 production SBOMs in 2024 across CycloneDX and SPDX. The quality distribution is worse than advertised and we have the numbers.

Nov 8, 20245 min read
SBOM & Compliance

SLSA Build Provenance for Python Publish

Python packages on PyPI can carry SLSA provenance via PEP 740. Here is the publish workflow, the verification story, and the parts that still do not quite fit together.

Oct 15, 20247 min read
SBOM & Compliance

Witness Attestation Collection Workflow

Witness turns build steps into a chain of signed attestations. Here is how we use it in production pipelines, what it does well, and where the edges still cut.

Sep 22, 20247 min read
SBOM & Compliance

SLSA Builder Requirements in Production

The SLSA specification sets explicit requirements for builders at each level. Here is what those requirements actually mean when you operate a builder in production.

Aug 28, 20247 min read
SBOM & Compliance

Cosign Verification Policies in Production

Writing cosign verification policies that actually pass production deployment gates requires more precision than the examples suggest. Here is what we have learned.

Jul 30, 20246 min read
SBOM & Compliance

How to Build a VEX Document for Your Consumers

A hands-on tutorial for producing a CSAF-VEX document that tells your customers which CVEs actually affect your product and which do not.

Jul 22, 20246 min read
SBOM & Compliance

in-toto Attestation Formats Reviewed

The in-toto attestation framework is the plumbing under SLSA, Sigstore, and most supply chain tooling. Here is a practical review of the v1 formats and their edges.

Jun 28, 20246 min read
SBOM & Compliance

Migrating SBOM Tooling Providers

A practical field guide to switching SBOM tooling vendors without losing historical data, breaking compliance reports, or annoying the auditors.

May 18, 20248 min read
SBOM & Compliance

SLSA for Go Releases: A Practical Guide

Go's build model makes SLSA provenance more tractable than most ecosystems. Here is the practical guide for producing and verifying provenance on Go releases.

May 15, 20246 min read
SBOM & Compliance

Medical Device SBOM Requirements in Practice

SBOMs for medical devices look straightforward on paper and get complicated fast in the real world. A field report on what regulators actually accept and what engineering teams actually produce.

Apr 25, 20247 min read
SBOM & Compliance (Page 3) — Supply Chain Security Blog | Safeguard