SBOM
In-depth guides and analysis on sbom from the Safeguard engineering team.
76 articles
CycloneDX vs SPDX: SBOM Format Comparison 2026
A practical CycloneDX vs SPDX comparison for 2026 buyers: schema depth, tool support, regulatory alignment, and which format to pick for which use case.
How to Read a CycloneDX SBOM: A Line-by-Line Walkthrough
A walkthrough of a CycloneDX 1.6 JSON document — metadata, components, services, dependencies, and vulnerabilities — with a real snippet and what to check first.
SBOM standards and formats compared (SPDX vs CycloneDX vs...
SPDX, CycloneDX, and Syft JSON aren't interchangeable. A concrete breakdown of what each format is for, where Anchore's Syft defaults, and how Safeguard handles both.
What is a Software Bill of Materials (SBOM) — definitions...
What is an SBOM? A plain-language breakdown of definitions, contents, formats (SPDX vs CycloneDX), compliance drivers, and real use cases like Log4Shell and xz-utils.
How to generate an SBOM with free open source tools
Free tools like Syft and Trivy can generate an SBOM in minutes. Here's exactly how, where open source tooling stops scaling, and how Safeguard fills the gap.
SBOM automation from creation to scanning & analysis
SBOM generation alone isn't enough. See how continuous SBOM automation — from creation to scanning and analysis — closes the gaps left by point-in-time tools.
Tern SBOM Generation Walkthrough for 2026
A walkthrough of generating SBOMs with Tern in 2026, covering layer-by-layer inspection, CycloneDX output, and practical comparison with Syft.
Tackling SBOM sprawl across an organization
SBOM generation has outpaced SBOM management. Here's why sprawl happens, what it costs in incident response and audits, and how to consolidate it for good.
SBOM GitHub Action / dropping SBOM tooling into CI workflows
Adding an SBOM GitHub Action like Anchore's is easy; making the output useful isn't. Here's what breaks in real CI pipelines and how to fix it.
SBOM Drift Detection Playbook for 2026
A practical playbook for detecting and responding to SBOM drift between source, build, and runtime, with the patterns that separate signal from noise.
CycloneDX 1.7 Migration Guide From 1.5
A practical migration path from CycloneDX 1.5 to 1.7 covering schema changes, machine learning BOM additions, formulation, and the tooling adjustments required.
SPDX 3.0 Feature Overview for 2026
What changed in SPDX 3.0 and the 3.0.1 patch release: the profile model, AI and dataset profiles, serialization choices, and what to migrate first.