sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
971 articles
Do Not Pass GO: Malicious Golang Package Alert
A typosquat of boltdb/bolt stayed cached on Go's module proxy for roughly three years after its source repo was cleaned up — proxy caching beats takedowns.
OCI Image Labels and Annotations: A Practical Guide to Provenance and SBOM Linkage
OCI defines 14 standard org.opencontainers.image.* annotation keys, but labels are unsigned metadata — anyone with build access can forge them.
npm package aliasing: the dependency confusion attack surface most teams never scan
npm's alias@npm:target syntax lets an attacker capture a name that doesn't even exist yet on the registry — widening dependency confusion past simple squatting.
npm supply-chain attacks: typosquatting, dependency confusion, and postinstall malware
event-stream hid a wallet-stealing payload behind 8M downloads in 2018. Here's how typosquatting and dependency confusion actually work, and how to stop them.
Building an OSPO security governance model for license and vulnerability risk
77% of large organizations now run an OSPO, and 91% say it owns security issues — but most still track license and CVE risk in separate spreadsheets.
A four-surface framework for software supply-chain risk
Supply-chain attacks are up 650% year over year, per the SLSA framework — yet most teams still map risk to one surface instead of four.
Docker image vulnerability scanning: best practices for CI/CD
Log4Shell hid in countless container images for years before scanning caught it. Here's how to scan base layers and gate builds before that happens again.
The NSA/CISA Enduring Security Framework Guide for Developers, Reviewed
NSA, CISA, and ODNI published developer supply-chain guidance in August 2022 — four years on, here's what it actually asks of your pipeline.
The faker.js and colors.js Sabotage: What Maintainer-Driven Risk Teaches About Pinning
In January 2022 a trusted maintainer bricked two npm packages with a combined 26M+ weekly downloads — from his own account, with valid credentials.
Choosing a secure Node.js Docker base image
A stock node:18 image ships at roughly 940MB with 100-200 tracked CVEs; distroless variants land 80% smaller with 0-2. Here's the real tradeoff.
The Four Most Common Docker Image Vulnerabilities (And How to Fix Them)
Sysdig found 76% of containers still run as root — one of four Docker image flaws that turn a routine build into a host compromise.
Generating CycloneDX and SPDX SBOMs from Java Projects with Maven and Gradle
CISA's 2025 draft update proposes four new fields on top of NTIA's minimum elements, from 7 to 11 — most Maven and Gradle-generated SBOMs still fail that bar.