license-compliance
Safeguard articles tagged "license-compliance" — guides, analysis, and best practices for software supply chain and application security.
58 articles
Building an OSPO security governance model for license and vulnerability risk
77% of large organizations now run an OSPO, and 91% say it owns security issues — but most still track license and CVE risk in separate spreadsheets.
Building an Open-Source License Compliance Program That Flags Copyleft Risk in CI
Software Freedom Conservancy's suit against Vizio is headed to trial in August 2026 — proof that copyleft violations are litigated, not theoretical.
The 4 dimensions of open-source dependency risk
Open-source risk isn't one problem — CVEs, malware, license exposure, and abandonment each fail differently, and Sonatype logged 454,600+ malicious packages in 2025 alone.
The supply-chain and IP risk hiding inside AI coding assistants
GitHub has disclosed that Copilot suggestions match training-set code verbatim about 1% of the time — and a class action over it is still being argued in 2026.
Enriching SBOMs with Vulnerability and License Metadata
A base SBOM only lists what's in your build — OSV.dev, EPSS, and OpenSSF Scorecard turn that inventory into a prioritized risk decision.
The Hidden Risks of AI Coding Assistants
A 2021 NYU study found 40% of Copilot-generated code contained exploitable bugs — and that's before counting leaked secrets or hallucinated packages.
Secure AI-Assisted Development: A Best-Practices Guide
Samsung banned ChatGPT company-wide in May 2023 after engineers pasted proprietary source code into it three times in 20 days. Here's how to adopt AI coding assistants without repeating that mistake.
Securing AI-Generated Code: The New Risk Surface
40.73% of Copilot's suggested code contains a vulnerability, and one 2024 study found nearly 1 in 5 AI-recommended packages simply don't exist.
Security Practices for GitHub Copilot and AI Coding Assistants
Copilot suggested 2,702 hardcoded secrets from just 900 prompts in one study, and at least 200 were live credentials — adoption without policy is a leak waiting to happen.
Managing Open Source Component Risk at Scale
A modern app's dozen direct dependencies can resolve into thousands of transitive packages — and CVE-2024-3094 proved a single unmaintained one is enough to backdoor SSH itself.
Best License Compliance Tools in 2026: An Honest Buyer's Guide
A balanced 2026 comparison of the leading open-source license compliance tools — FOSSA, Black Duck, Mend, Snyk, and the ScanCode/FOSSology open-source stack — with an honest look at where Safeguard fits.
Black Duck Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the leading Black Duck alternatives in 2026 — Snyk, Mend, Sonatype, FOSSA, Trivy, and Safeguard — with candid pros, cons, and a framework for choosing.