sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
What is the EU Cyber Resilience Act (CRA)? A software supply chain guide
The Cyber Resilience Act sets binding cybersecurity rules for products with digital elements sold in the EU. Here's who it covers, what it demands of software, and how to prepare before the 2027 deadline.
Software supply chain attack statistics and trends report
Software supply chain attacks keep climbing year over year. Here are the stats, incidents, and trends security teams need to know in 2026.
A forgotten contributor account compromised the Mastra npm scope
A dormant npm account with unrevoked publish rights let attackers trojanize 144 @mastra packages in 88 minutes, dropping a crypto-wallet RAT tied to Sapphire Sleet.
Understanding the software supply chain attack surface
SolarWinds, Log4Shell, and XZ Utils show the software supply chain attack surface is bigger than any single scan. Here's how to actually map and shrink it.
SBOM as a supply chain defense strategy
SBOMs turn "are we affected?" from a weeks-long fire drill into a query. Here's how they defend against real supply chain attacks like Log4Shell and XZ Utils.
GitHub dependency graph and dependency review explained
How GitHub Dependency Graph and Dependency Review actually work, what GitHub Advanced Security adds on top, and where the coverage gaps are for teams relying on manifest-only scanning.
Preventing malicious packages with automated detection
Malicious npm and PyPI packages skip CVEs entirely. Here's how attackers get them published and how automated detection catches them before they ship.
License compliance checks for open source dependencies on...
GitHub Advanced Security scans for vulnerabilities, not license risk. Here's what real open source license compliance requires—and where GHAS falls short.
SBOM export in GitHub: generating a software bill of mate...
GitHub lets you export an SPDX SBOM in two clicks, but the file only reflects what its dependency graph can see. Here's what's missing and how Safeguard fills it.
10 Docker image security best practices
Ten concrete Docker image security practices — minimal base images, secret handling, reachability-based scanning, non-root runtimes, and SBOMs — with real CVEs and data.
Choosing secure base images for containers
Base image choice drives most of your container's attack surface. Here's what secure Docker base images actually require, with concrete CVE data.
Distroless container images explained
Distroless images cut container size by up to 90% and eliminate OS-level CVEs, but they don't secure app dependencies. Here's how they work and where they fall short.