We are releasing the Safeguard Desktop App today. It is available for macOS, Windows, and Linux, and it brings the full Safeguard platform to your desktop without requiring a browser.
Let me explain why we built this and what it does differently from the web interface.
Why a Desktop App
The honest answer: because some workflows are just better as native applications.
Our web interface works well for dashboards, reporting, and team-level views. But for individual developer workflows -- scanning a local project, reviewing SBOM diffs before a commit, checking policy gates before pushing -- a browser tab is not ideal. You have to context-switch, log in, navigate to the right project, and wait for web-loaded data.
A desktop app eliminates that friction. It sits in your system tray, watches your local projects, and provides instant access to supply chain security data. No browser, no navigation, no waiting for page loads.
The second reason is offline capability. Not full offline mode -- you still need connectivity for vulnerability database updates and policy sync -- but the desktop app caches your SBOM data locally. You can review your project's dependency tree, check component details, and browse historical data without an active connection. When you reconnect, everything syncs.
Core Features
Local SBOM Generation
The desktop app includes built-in SBOM generation for projects on your local filesystem. Point it at a project directory, and it generates a CycloneDX or SPDX SBOM by analyzing:
- Package manifests (package.json, requirements.txt, go.mod, pom.xml, Cargo.toml, and 20+ more)
- Lock files for precise version resolution
- Container images (Dockerfile analysis and image scanning)
- Binary analysis for compiled artifacts
You can generate SBOMs on demand or configure the app to regenerate automatically when project files change. Generated SBOMs are automatically uploaded to your Safeguard workspace for team visibility.
Real-Time Vulnerability Monitoring
Once the app is tracking a local project, it continuously monitors for new vulnerabilities affecting your dependencies. When a new CVE is published that impacts one of your components, you get a native desktop notification -- not an email that gets buried, not a Slack message that scrolls past, but an OS-level notification that shows up immediately.
Each notification includes the vulnerability ID, severity, affected component, and a direct link to remediation guidance. You can triage directly from the notification -- mark as accepted risk, snooze, or open the full details.
SBOM Diff View
This is the feature our beta testers liked most. Before you commit or push, the desktop app can show you a diff of how your SBOM has changed -- new dependencies added, versions bumped, components removed. Each change is annotated with:
- Known vulnerabilities in the new version
- License changes
- Maintainer health indicators
- Policy gate implications
It turns dependency changes from opaque version bumps into informed decisions. You can see at a glance that upgrading lodash from 4.17.20 to 4.17.21 closes two medium-severity CVEs, or that the new dependency you added has a GPL license that conflicts with your project's policy.
Policy Gate Integration
If your team uses Safeguard's policy gates, the desktop app shows your current gate status for each tracked project. Green means your project passes all policies. Yellow means there are warnings. Red means there are blocking violations.
You can drill into any policy violation to see exactly what is failing and what you need to do to fix it. For common violations (vulnerable dependency, license conflict, missing SBOM fields), the app suggests automated fixes.
Project Dashboard
The main window provides an overview of all your tracked projects with key metrics: total dependencies, known vulnerabilities by severity, SBOM quality score, policy gate status, and last scan time. It is the same data available in the web interface, but organized for individual developer use rather than team-level reporting.
Technical Details
The app is built on Electron with a Rust backend for performance-critical operations like SBOM generation and diff computation. We know Electron gets a bad rap for resource usage, and we took that seriously:
- Memory usage stays under 150MB for typical workloads
- The Rust backend handles all filesystem watching and SBOM generation, keeping the Electron process lean
- Background scans are throttled to avoid impacting system performance during builds
The app auto-updates silently. When a new version is available, it downloads in the background and applies the update on next restart. No manual intervention required.
System Requirements
- macOS: 11 (Big Sur) or later, Apple Silicon and Intel
- Windows: 10 or later, x64 and ARM64
- Linux: Ubuntu 20.04+, Fedora 35+, or equivalent. AppImage and .deb packages available.
Integration with Safeguard CLI
The desktop app and the Safeguard CLI share configuration and project state. If you have existing CLI-managed projects, the desktop app picks them up automatically. SBOM generation settings, policy configurations, and authentication are shared.
Privacy and Data Handling
We want to be explicit about what the desktop app accesses on your machine:
- It reads package manifests and lock files in tracked project directories
- It does not read source code files (only dependency metadata)
- Generated SBOMs are uploaded to your Safeguard workspace (you control which projects are tracked)
- Local SBOM cache can be cleared at any time
- All communication with Safeguard servers uses TLS 1.3
- No telemetry beyond what you opt into
Getting Started
Download the app from safeguard.sh/desktop or install via your package manager:
# macOS
brew install --cask safeguard
# Windows
winget install Safeguard.Desktop
# Linux
snap install safeguard-desktop
Sign in with your existing Safeguard account, point it at your project directories, and you are set.
How Safeguard.sh Helps
The Safeguard Desktop App brings the full power of the Safeguard platform to your local development workflow. Generate SBOMs locally, get real-time vulnerability notifications, review dependency changes before committing, and check policy gate status -- all without leaving your development environment. Combined with the Safeguard MCP Server and CLI, it completes the picture: supply chain security that meets developers wherever they work.