Safeguard
FAQ

Safeguard Platform FAQ: Software Supply Chain Security Answered

A plain-English FAQ about the Safeguard platform — what it covers, how the pieces fit together, and how it differs from a traditional scanner-plus-dashboard stack.

Safeguard Team
Product & Security
5 min read

Safeguard is a software supply chain security platform that finds, prioritizes, and fixes vulnerabilities across the code and dependencies your organization ships. It combines reachability-aware software composition analysis, autonomous remediation through Griffin AI, SBOM and AIBOM generation, and a catalog of 500K-plus zero-CVE components into one workflow that runs in CI, in the IDE, and through AI agents. This FAQ answers the most common questions about what the platform is and how the parts fit together.

Frequently Asked Questions

What is the Safeguard platform? Safeguard is an end-to-end software supply chain security platform. It analyzes your dependencies, source code, containers, and infrastructure-as-code for vulnerabilities, prioritizes them by real exploitability, and can generate and test fixes automatically. Rather than being a single scanner, it unifies detection, prioritization, remediation, and evidence generation in one place.

What problems does Safeguard solve? Most breaches begin with vulnerable third-party code inherited on day one, and most security tools respond by flooding teams with alerts that are largely noise. Safeguard reduces that noise with reachability analysis, lets teams start from clean 500K-plus zero-CVE components instead of unvetted public images, and closes findings with autonomous remediation so exposure is measured in days rather than months.

What are the main components of the platform? The core pieces are software composition analysis for dependencies, static and dynamic analysis for first-party code, SBOM Studio for bill-of-materials authoring, Auto Fix and Griffin AI for remediation, a catalog of hardened zero-CVE components, and an MCP server that exposes security operations to AI assistants. They share one component graph and one findings model.

How is Safeguard different from a traditional scanner? A traditional scanner detects and hands you a list. Safeguard is built around the full loop: it detects, filters findings down to the ones that are actually reachable and exploitable, generates a fix, tests it for compatibility, and opens a pull request. The measure of success is not how many findings you can see but how quickly the exploitable ones disappear.

What is reachability analysis and why does it matter? Reachability analysis uses call-graph inspection to determine whether a vulnerable function is actually invoked by your code. A CVE in a dependency you never call along a live path is far lower risk than one on a hot code path. By separating reachable from unreachable findings, Safeguard cuts false positives so teams spend effort on the vulnerabilities that can truly be exploited.

What ecosystems and package managers does Safeguard support? Safeguard performs deep transitive dependency analysis across common ecosystems including npm, PyPI, Maven, Go modules, and Cargo, along with container images and infrastructure-as-code. Transitive scanning means it inspects the dependencies of your dependencies, where a large share of real exposure hides.

What are zero-CVE components? Zero-CVE components are hardened, pre-scanned container images and packages with no known CVEs, published through Safeguard's Gold catalog. Instead of starting from a public base image riddled with inherited vulnerabilities and then patching, teams start clean. This flips the model from "inherit and remediate" to "start clean and stay clean."

Does Safeguard generate SBOMs and AIBOMs? Yes. SBOM Studio maintains a single component graph and exports both CycloneDX and SPDX without divergence, so customers, regulators, and procurement teams each get the format they request. It also attaches in-toto attestations and SLSA provenance, and supports AI bill-of-materials so the model and data components of AI systems are inventoried alongside software.

How does Safeguard fit into CI/CD? Safeguard integrates as an inline pull-request check that can block new critical, reachable findings before they merge, which is the single highest-leverage control in an appsec program. It also runs through a CLI for pipelines, IDE extensions for developers, and scheduled scans for continuous monitoring of already-shipped code.

Can AI agents use Safeguard? Yes. The MCP server exposes dozens of security tools — vulnerability lookups, SBOM operations, scans, and remediation — to any Model Context Protocol client, including Claude Desktop, ChatGPT, and IDE assistants. Access is governed with per-tool allowlists and capability scoping so an agent can be restricted to read-only or sandboxed operations.

Where can Safeguard be deployed? Safeguard runs in the cloud across many providers, on-premises, and in air-gapped environments, which matters for regulated and government workloads. The architecture is designed to meet FedRAMP High and IL7 requirements, and SOC 2 Type II is in progress with the audit underway.

Is Safeguard only for large enterprises? No. The platform scales from a single repository connected in minutes to hundreds of services across an organization. Small teams benefit from autonomous remediation because it lets a handful of people cover a wide surface, while larger organizations use policy-as-code, VEX workflows, and centralized inventory. Pricing is scoped to environment and needs, detailed on the pricing page.

How does Safeguard reduce alert fatigue? Three ways: reachability analysis removes findings that cannot be exploited on live paths, EPSS exploit-prediction scoring ranks what remains by likelihood of exploitation, and VEX statements let you mark not-affected components with justifications so noisy CVEs drop off the queue without losing the audit trail.

Ready to see it on your own code? Create a free account at https://app.safeguard.sh/register and read the full documentation at https://docs.safeguard.sh.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.