Safeguard
Topic

Software Supply Chain Security

In-depth guides and analysis on software supply chain security from the Safeguard engineering team.

175 articles

Software Supply Chain Security

SCA vs SBOM: What's the Difference

SCA and SBOM aren't the same thing: one is a scanning process, the other is a compliance artifact. Here's how they differ and why you need both.

Apr 14, 20267 min read
Software Supply Chain Security

ESSCM Buyer Guide 2026

An enterprise buyer's guide to End-to-End Software Supply Chain Management platforms in 2026, with the questions that separate marketing from working products.

Apr 8, 20265 min read
Software Supply Chain Security

Why SLSA Level 3 Matters (and Level 4 Usually Doesn't)

SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.

Apr 5, 20268 min read
Software Supply Chain Security

What is a Software Bill of Materials (SBOM)

An SBOM is a machine-readable inventory of every software component and dependency. Learn what it contains, why it matters, and how Safeguard uses it.

Apr 5, 20266 min read
Software Supply Chain Security

CycloneDX vs SPDX: SBOM Formats Compared

CycloneDX vs SPDX: how the two SBOM formats differ in vulnerability data, licensing, regulatory recognition, and conversion — and which to pick.

Apr 5, 20266 min read
Software Supply Chain Security

What is Software Supply Chain Security

SolarWinds, Log4Shell, and XZ Utils show why software supply chain security now spans code, dependencies, and build pipelines alike.

Apr 4, 20267 min read
Software Supply Chain Security

What is a Software Supply Chain Attack

A software supply chain attack compromises trusted dependencies or build systems to spread malicious code downstream — here's how it works, and how to stop it.

Apr 4, 20267 min read
Software Supply Chain Security

What is Dependency Confusion

Dependency confusion lets attackers hijack builds by publishing malicious packages under private package names to public registries. Here's how it works.

Apr 4, 20266 min read
Software Supply Chain Security

Malicious dependency attacks in the software supply chain

Dependency confusion attacks let attackers hijack builds by publishing malicious packages with higher version numbers to public registries. Here's how they work and how to stop them.

Apr 4, 20267 min read
Software Supply Chain Security

What is Typosquatting

Typosquatting tricks developers into installing malicious lookalike packages. Learn how it works, real npm/PyPI attacks, and how to detect it.

Apr 4, 20267 min read
Software Supply Chain Security

What Are Malicious Packages

Malicious npm packages steal credentials, mine crypto, or wipe files. Learn how attackers plant them and how to detect and stop them fast.

Apr 3, 20267 min read
Software Supply Chain Security

Managing risk in the software supply chain

Chainguard hardens base images, but that's one slice of supply chain risk. Here's what SolarWinds, Log4Shell, and XZ Utils reveal about the gaps — and how to close them.

Apr 3, 20268 min read
Software Supply Chain Security (Page 5) — Supply Chain Security Blog | Safeguard