compliance
Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.
435 articles
FedRAMP vulnerability scanning requirements explained
FedRAMP mandates monthly vulnerability scans and 30-day remediation windows. Here's what Rev 5 requires, and why minimal images like Chainguard's don't exempt you.
Simplify PCI DSS 4.0 compliance with hardened containers
PCI DSS 4.0's 30-day patch clock is brutal for container-heavy CDEs. Here's how hardened, minimal images cut CVE noise and make audits defensible.
White House M-22-18 SBOM Attestation Update
OMB M-22-18 and the CISA Secure Software Self-Attestation form continue to evolve. Here is what producers and federal buyers must change in 2026.
CMMC 2.0 compliance for containerized workloads
CMMC 2.0 enforcement is phasing in through 2028. Hardened container images help, but 35+ of 110 NIST 800-171 controls need continuous evidence Chainguard's approach doesn't cover.
SOC 2 and the hardened software supply chain
SOC 2 attests to internal controls, not to whether a hardened image or build pipeline is secure. Here is how Chainguard's approach fits, and what it does not cover.
Insurance Claims Platform Supply Chain Program
Insurance claims platforms run on document AI, fraud detection, and integrations to thousands of vendors. Here is the supply chain program that fits.
SLSA v1.1 Framework Update: What's New
SLSA v1.1 sharpens the build track, adds a source track draft, and clarifies attestation semantics. Here is the practical guide for security teams.
Using Reachability To Defend SOC 2 Audit Decisions
An auditor asks why you didn't fix CVE-X. The defensible answer involves reachability evidence. Without it, the conversation gets uncomfortable.
CMMC 2.0 Rollout: Where Deadlines Actually Are
A senior engineer's guide to where CMMC 2.0 deadlines actually sit in 2026, what assessors are looking for, and how supply chain controls fit into the certification path.
CycloneDX vs SPDX: Which Format For Your Program
A senior-engineer comparison of CycloneDX and SPDX in 2026, covering field coverage, tooling, AI-BOM support, VEX, and the practical trade-offs for your programme.
PCI DSS 4.0 Software Security Evidence Flow
PCI DSS 4.0 raises the bar for software security and supplier oversight. Learn how to satisfy Requirement 6 and 12.8 with continuous supply chain evidence.
Anchore vs. Snyk / Wiz / Sysdig / Aqua / Chainguard posit...
Evaluating Anchore alternatives? See how Safeguard, Snyk, Wiz, Sysdig, Aqua, and Chainguard actually differ on SBOM, runtime, and compliance.