SBOM & Compliance
In-depth guides and analysis on sbom & compliance from the Safeguard engineering team.
41 articles
Sigstore Rekor Transparency Log Operations
Rekor is the transparency log behind Sigstore, and understanding its operational model matters more than most teams realise. Here is how we run against it in production.
Mend vs Black Duck: Functional Comparison
Compare Mend (formerly WhiteSource) and Black Duck on SBOM export, license policy, detection sources, deployment model, and enterprise reporting for 2024 SCA selection.
SLSA Build L1 to L3 Migration Playbook
Moving from SLSA Build L1 to L3 is less a single upgrade and more a series of hardening steps. Here is the playbook we use with customers, mapped to the v1.0 specification.
How to Generate SBOMs From Maven Projects
Produce accurate CycloneDX SBOMs from Maven builds using the official plugin, handle multi-module reactors, and ship attested SBOMs alongside your JARs.
How to Structure an SBOM Review Process
Build a repeatable SBOM review workflow that catches license risks, stale dependencies, and unexpected components before they ship to customers.