SBOM
In-depth guides and analysis on sbom from the Safeguard engineering team.
76 articles
CISA Minimum Elements for SBOM: 2026 Update
A clear walkthrough of CISA's 2026 revisions to the minimum elements for SBOM, what changed from the original NTIA baseline, and how to bring your outputs into compliance.
SBOM Generation: Syft, Tern, Trivy Compared (2026)
An engineer's side-by-side of Syft, Tern, and Trivy for SBOM generation in 2026, with honest notes on accuracy, performance, and where each tool actually fits.
SBOM-Driven Due Diligence for M&A
How SBOMs have become a standard input to technical due diligence for software acquisitions, what acquirers actually look for, and how sellers should prepare.
SBOMs for Firmware and IoT Devices: The Hard Problem
Generating accurate SBOMs for firmware and IoT devices remains one of the toughest challenges in supply chain security. Here's the current state of the art.
How to set up SBOM generation in a CI pipeline
Learn how to build an SBOM generation CI pipeline with Syft and GitHub Actions, covering scanning, signing, storage, and verification for supply chain visibility.
OpenVEX vs. CycloneDX VEX: Which to Pick
A direct comparison of OpenVEX and CycloneDX VEX in 2026, covering spec differences, tooling support, and the operational tradeoffs that actually affect your choice.
SBOM Enrichment and Vulnerability Correlation: Turning Inventory into Intelligence
A raw SBOM is a parts list. An enriched SBOM is a risk assessment. Here's how to bridge the gap.
SBOM Ingestion at Scale: An Architecture Guide
A pragmatic architecture for ingesting, normalizing, and querying hundreds of thousands of SBOMs across an enterprise or agency, without drowning in noise.
SBOM Distribution Patterns: TEA, VEX, and the Last Mile in 2026
How SBOMs actually move between producers and consumers in 2026, what TEA and VEX are solving, and the distribution patterns that hold up in production.
Generating and exporting a software bill of materials in AWS
A practical walkthrough for generating and exporting an AWS SBOM using Inspector and ECR -- plus troubleshooting tips and how Safeguard helps.
Generating SBOMs and provenance with GCP Artifact Analysis
A step-by-step guide to GCP SBOM generation using Artifact Analysis: scan container images, export SPDX/CycloneDX SBOMs, and attach SLSA provenance attestations.
Medical device firmware SBOM and coordinated vulnerabilit...
How medical device firmware SBOMs, FDA Section 524B, ISO 81001-5-1, and coordinated vulnerability disclosure work together to secure connected IoMT devices.