Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

971 articles

Supply Chain Security

Do Not Pass GO: Malicious Golang Package Alert

A typosquat of boltdb/bolt stayed cached on Go's module proxy for roughly three years after its source repo was cleaned up — proxy caching beats takedowns.

Jul 16, 20266 min read
Container Security

OCI Image Labels and Annotations: A Practical Guide to Provenance and SBOM Linkage

OCI defines 14 standard org.opencontainers.image.* annotation keys, but labels are unsigned metadata — anyone with build access can forge them.

Jul 16, 20266 min read
Supply Chain Attacks

npm package aliasing: the dependency confusion attack surface most teams never scan

npm's alias@npm:target syntax lets an attacker capture a name that doesn't even exist yet on the registry — widening dependency confusion past simple squatting.

Jul 16, 20266 min read
Supply Chain Security

npm supply-chain attacks: typosquatting, dependency confusion, and postinstall malware

event-stream hid a wallet-stealing payload behind 8M downloads in 2018. Here's how typosquatting and dependency confusion actually work, and how to stop them.

Jul 15, 20266 min read
Open Source Security

Building an OSPO security governance model for license and vulnerability risk

77% of large organizations now run an OSPO, and 91% say it owns security issues — but most still track license and CVE risk in separate spreadsheets.

Jul 15, 20266 min read
Supply Chain Security

A four-surface framework for software supply-chain risk

Supply-chain attacks are up 650% year over year, per the SLSA framework — yet most teams still map risk to one surface instead of four.

Jul 14, 20267 min read
Container Security

Docker image vulnerability scanning: best practices for CI/CD

Log4Shell hid in countless container images for years before scanning caught it. Here's how to scan base layers and gate builds before that happens again.

Jul 13, 20267 min read
Supply Chain Security

The NSA/CISA Enduring Security Framework Guide for Developers, Reviewed

NSA, CISA, and ODNI published developer supply-chain guidance in August 2022 — four years on, here's what it actually asks of your pipeline.

Jul 13, 20267 min read
Supply Chain Attacks

The faker.js and colors.js Sabotage: What Maintainer-Driven Risk Teaches About Pinning

In January 2022 a trusted maintainer bricked two npm packages with a combined 26M+ weekly downloads — from his own account, with valid credentials.

Jul 13, 20266 min read
Container Security

Choosing a secure Node.js Docker base image

A stock node:18 image ships at roughly 940MB with 100-200 tracked CVEs; distroless variants land 80% smaller with 0-2. Here's the real tradeoff.

Jul 12, 20267 min read
Container Security

The Four Most Common Docker Image Vulnerabilities (And How to Fix Them)

Sysdig found 76% of containers still run as root — one of four Docker image flaws that turn a routine build into a host compromise.

Jul 12, 20266 min read
Supply Chain Security

Generating CycloneDX and SPDX SBOMs from Java Projects with Maven and Gradle

CISA's 2025 draft update proposes four new fields on top of NTIA's minimum elements, from 7 to 11 — most Maven and Gradle-generated SBOMs still fail that bar.

Jul 12, 20266 min read
sbom — Safeguard Blog