Software Supply Chain Security
In-depth guides and analysis on software supply chain security from the Safeguard engineering team.
175 articles
SCA vs SBOM: What's the Difference
SCA and SBOM aren't the same thing: one is a scanning process, the other is a compliance artifact. Here's how they differ and why you need both.
ESSCM Buyer Guide 2026
An enterprise buyer's guide to End-to-End Software Supply Chain Management platforms in 2026, with the questions that separate marketing from working products.
Why SLSA Level 3 Matters (and Level 4 Usually Doesn't)
SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.
What is a Software Bill of Materials (SBOM)
An SBOM is a machine-readable inventory of every software component and dependency. Learn what it contains, why it matters, and how Safeguard uses it.
CycloneDX vs SPDX: SBOM Formats Compared
CycloneDX vs SPDX: how the two SBOM formats differ in vulnerability data, licensing, regulatory recognition, and conversion — and which to pick.
What is Software Supply Chain Security
SolarWinds, Log4Shell, and XZ Utils show why software supply chain security now spans code, dependencies, and build pipelines alike.
What is a Software Supply Chain Attack
A software supply chain attack compromises trusted dependencies or build systems to spread malicious code downstream — here's how it works, and how to stop it.
What is Dependency Confusion
Dependency confusion lets attackers hijack builds by publishing malicious packages under private package names to public registries. Here's how it works.
Malicious dependency attacks in the software supply chain
Dependency confusion attacks let attackers hijack builds by publishing malicious packages with higher version numbers to public registries. Here's how they work and how to stop them.
What is Typosquatting
Typosquatting tricks developers into installing malicious lookalike packages. Learn how it works, real npm/PyPI attacks, and how to detect it.
What Are Malicious Packages
Malicious npm packages steal credentials, mine crypto, or wipe files. Learn how attackers plant them and how to detect and stop them fast.
Managing risk in the software supply chain
Chainguard hardens base images, but that's one slice of supply chain risk. Here's what SolarWinds, Log4Shell, and XZ Utils reveal about the gaps — and how to close them.