Safeguard
Topic

Tools

In-depth guides and analysis on tools from the Safeguard engineering team.

50 articles

Tools

Sigstore Policy Controller v0.15: TUF Delegation and Admission Posture

Policy Controller v0.15 ships sigstore-go's delegation-aware TUF client, a monthly cadence, and tighter integration with cosign 3.x. We benchmarked admission on a 400-node cluster.

Apr 8, 20267 min read
Tools

Trivy vs Grype: A Buyer Comparison for 2026

How Trivy 0.58 and Grype 0.85 compare in real-world container scanning: vulnerability coverage, false positive rates, SBOM support, and operational fit.

Apr 8, 20266 min read
Tools

JFrog Curation 2026: Time-Based Waivers and On-Demand Policies

JFrog Curation shipped time-bound waivers, on-demand policy application, group-based scope, and ChainGuard hardened-Maven support in 2026. We tested the upgrade on an Artifactory estate.

Apr 2, 20267 min read
Tools

How Syft scans software to generate SBOMs (under-the-hood...

A deep look at Syft's under-the-hood scanning mechanics — catalogers, binary classifiers, layer squashing, and SBOM formats — and where the single-scan model breaks down at fleet scale.

Mar 28, 20267 min read
Tools

tfsec to Trivy IaC: 2026 Migration Playbook

tfsec has been folded into Trivy for over a year and Aqua has stopped feature work on tfsec. We migrated three platforms in 2026 and documented what actually breaks.

Mar 26, 20266 min read
Tools

Open source dependency scanning (OSS composition risk)

Open source dependency scanning has moved from periodic audits to a CI/CD gate. Here's how it works, where Anchore fits, and where Safeguard differs.

Mar 25, 20268 min read
Tools

Checkmarx SCA vs Mend vs Snyk: 2026 Buyer Comparison

A direct comparison of Checkmarx SCA, Mend, and Snyk in 2026 across reachability, license analysis, developer experience, and total cost of ownership.

Mar 21, 20266 min read
Tools

Falco 0.40: Modern eBPF Is Now Default

Falco's 0.40 release line makes modern eBPF (CO-RE) the default driver, deprecates the legacy probe and gVisor engine, and changes how operators ship Falco. Here's what changed and what to test.

Mar 19, 20266 min read
Tools

Mend (WhiteSource) Platform Deep Review 2026

A senior-engineer's deep review of Mend (formerly WhiteSource) in 2026: SCA accuracy, reachability, container scanning, AI features, pricing, and where it fits.

Mar 19, 20265 min read
Tools

CodeQL vs Snyk: A Buyer Comparison for 2026

A side-by-side comparison of CodeQL and Snyk in 2026 across SAST, SCA, container, and IaC coverage, with realistic expectations for each.

Mar 12, 20266 min read
Tools

Best Practices for npm Lockfile Security 2026

Your package-lock.json is a supply chain control, not build noise. Six habits — npm ci, script blocking, lockfile linting, provenance checks — that stop most npm attacks cold.

Mar 10, 20266 min read
Tools

GitHub Advanced Security 2026: Copilot Autofix Goes GA

GHAS in 2026 made Copilot Autofix generally available, opened secret scanning to Team plans, and shipped extended secret metadata. We walked the upgrade for an org with 800 repos.

Mar 5, 20266 min read
Tools (Page 2) — Supply Chain Security Blog | Safeguard