Today we are publicly launching Safeguard, and we want to walk through what the platform does, why we built it this way, and what you can start using right now.
The Short Version
Safeguard is a software supply chain security platform. It gives you continuous visibility into what is inside your software -- every dependency, every transitive component, every version -- and connects that inventory to vulnerability intelligence, policy enforcement, and developer workflows.
The platform ships with five core capabilities at launch:
- SBOM Lifecycle Management -- Generate, ingest, store, version, and query Software Bills of Materials
- Vulnerability Correlation -- Real-time mapping of your components against CVE databases, OSV, and proprietary intelligence feeds
- Policy Engine -- Define rules for acceptable risk and enforce them in your CI/CD pipeline
- Developer Integrations -- CLI tool and API for embedding supply chain checks into existing workflows
- Reporting and Compliance -- Generate the documentation you need for regulatory and customer requirements
Let us go deeper on each.
SBOM Lifecycle Management
Most tools generate an SBOM and hand you a file. Safeguard treats SBOMs as a managed data type with full lifecycle support.
When you upload or generate an SBOM through Safeguard, it gets parsed, normalized, and stored in a queryable format. We support both CycloneDX and SPDX formats, and we normalize across them so you can query your inventory regardless of which format was used for generation.
Every SBOM is versioned. When your software changes and you generate a new SBOM, Safeguard tracks the delta. You can diff two SBOMs to see exactly what components were added, removed, or changed version. This is critical for change management and for understanding when a new vulnerability was introduced.
The query interface lets you ask questions across your entire SBOM inventory. Not just "what is in this one product" but "across all our products, which ones contain this specific library?" When Log4Shell hit, the organizations that could answer that question in minutes were the ones that responded effectively. The ones that could not spent weeks in triage.
Storage is designed for enterprise scale. We have customers managing thousands of SBOMs across hundreds of products, and the platform handles that without degradation. The data model supports hierarchical organization -- products contain releases, releases contain SBOMs, SBOMs contain components -- which maps to how software organizations actually work.
Vulnerability Correlation
An SBOM without vulnerability context is just an inventory list. Safeguard connects your component inventory to multiple vulnerability intelligence sources and keeps that mapping current.
When a new CVE is published, Safeguard automatically checks it against every component in every SBOM in your inventory. If there is a match, you know about it immediately. You do not have to re-scan. You do not have to wait for a scheduled job. The correlation happens continuously.
We pull from NVD, OSV, GitHub Security Advisories, and our own curated intelligence. Where CVE data is ambiguous about which package versions are affected (and it often is), we maintain our own version range mappings to reduce false positives.
Each vulnerability match includes the affected component, the products it appears in, the severity, and a direct link to the advisory. For teams that are drowning in vulnerability noise, this focused, supply-chain-specific view cuts through the clutter.
Policy Engine
Finding vulnerabilities is necessary. Preventing them from shipping is better.
Safeguard's policy engine lets you define rules that are evaluated against your SBOMs automatically. Policies can check for:
- Vulnerability thresholds: Block releases that contain components with critical or high severity CVEs
- License compliance: Ensure no components use licenses outside your approved list (GPL in a commercial product, for example)
- Component age: Flag dependencies that have not been updated in a specified time period
- Known bad components: Maintain a deny list of specific components or versions that should never appear in your software
Policies are evaluated in CI/CD pipelines through the Safeguard CLI. The CLI takes your SBOM, evaluates it against your active policies, and returns a pass/fail result with details on any violations. This gives you a quality gate for supply chain security that works just like your existing quality gates for tests and code coverage.
Policies are versioned and auditable. You can see what policies were in effect when a specific release was approved, which is important for compliance and incident response.
Developer Integrations
We built Safeguard for security teams, but we designed the developer experience to be frictionless. The platform ships with a full REST API, a CLI tool, and documentation for integrating with common CI/CD platforms.
The API follows REST conventions and returns JSON. Every operation you can perform in the web interface is available through the API. This is not an afterthought -- the web interface is itself an API client.
The CLI is a single binary that runs on Linux, macOS, and Windows. It can generate SBOMs (wrapping established generators like Syft and Trivy), upload them to Safeguard, run policy checks, and query your inventory. A typical CI/CD integration is four lines in your pipeline configuration.
safeguard sbom generate --format cyclonedx --output sbom.json
safeguard sbom upload --project my-app --release v2.1.0 --file sbom.json
safeguard policy check --project my-app --release v2.1.0
If the policy check fails, the pipeline fails. If it passes, you have a recorded, auditable proof that the release met your supply chain security requirements at the time of build.
Reporting and Compliance
Regulatory pressure around software supply chain security is increasing. The EU Cyber Resilience Act, FDA cybersecurity requirements for medical devices, CISA's SBOM guidance, and customer contractual requirements are all driving demand for documentation.
Safeguard generates compliance reports that map your SBOM data to specific regulatory frameworks. You can produce customer-facing SBOM documents, vulnerability disclosure reports, and compliance attestations directly from the platform.
Reports are generated from your live data, so they are always current. When a customer asks for an SBOM of the product version they are running, you can produce it in seconds, not days.
Architecture Decisions
A few technical decisions are worth calling out.
Multi-format support from day one. We normalize CycloneDX and SPDX into a common internal model. This means you can ingest SBOMs in either format, query across them uniformly, and export in either format. We do not force you to pick a side in the format debate.
API-first design. Every feature is an API endpoint first. The web interface, CLI, IDE extensions, and CI/CD integrations are all API clients. This means anything we can do, you can automate.
Tenant isolation. Each organization's data is isolated at the storage level. We use per-tenant encryption keys and strict access controls. Your SBOM data is your competitive intelligence -- we treat it accordingly.
Real-time correlation. Vulnerability matching is event-driven, not batch. When a new advisory is published or a new SBOM is uploaded, correlation happens immediately. In supply chain security, hours matter.
What Comes Next
This launch is the foundation. Over the coming months, we will be shipping:
- Container image scanning -- Extend SBOM and vulnerability analysis to container images
- Reachability analysis -- Determine whether vulnerable code paths are actually invoked in your application
- AI-powered querying -- Natural language interface for your supply chain data
- IDE extensions -- Surface supply chain intelligence directly in VS Code and JetBrains
We are building in the open and our roadmap is driven by customer needs. If you are dealing with software supply chain security challenges, we want to hear from you.
Getting Started
You can sign up for Safeguard at safeguard.sh. The platform includes a free tier that supports up to 10 projects, which is enough to evaluate the full feature set.
If you want to see the platform in action before committing, we run weekly demos every Thursday. Sign up through the website.
For enterprise evaluations, reach out to our team directly. We will set up a dedicated environment and work with you on a proof of concept against your actual software portfolio.
The software supply chain security problem is real, it is growing, and it affects every organization that builds or deploys software. We built Safeguard to help you get ahead of it.