sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Claude Code and Claude Desktop security integrations
Claude Code's shell access and MCP's connector boom are reshaping software supply chain risk. Here's what security teams need to know and do.
From SBOMs to AI BOMs: SPDX 3.0 Explained
SPDX 3.0 adds a formal AI profile for documenting ML models and datasets. Here's what changed, how it compares to CycloneDX, and why it matters now.
ISO 27001 and NIST Framework Alignment for Supply Chain V...
How ISO 27001:2022 and NIST's SSDF, SP 800-161, and CSF 2.0 converge on software supply chain vendors—and where CVE-only scanning tools leave compliance gaps.
Securing AI coding IDE extensions and plugins
VS Code themes with 9M installs shipped backdoors; Cursor's rules files were hijacked in 2025. Here's what AI IDE extension security actually requires.
Sonatype SBOM Manager Overview
A concrete look at Sonatype SBOM Manager — its origins, pricing model, VEX support, and common adoption gaps — for teams evaluating an SBOM manager tool.
Zero-day risk in third-party AI model dependencies
Malicious Hugging Face models, a trojanized Ultralytics PyPI release, and a torch.load bypass show AI model dependencies now carry real zero-day risk.
Sonatype Guide: Securing Agentic AI Development
Sonatype's new guide reframes AI dependency risk, but its scanner-based model can't govern agents that install packages and call MCP tools on their own. Here's the gap and how to close it.
Open Source License Compliance Management
Open source license compliance is now a continuous, automated discipline. Here's what Sonatype gets right, where it falls short, and how Safeguard unifies license risk with vulnerability management.
Best Container Scanning Tools in 2026: An Honest Buyer's Guide
An honest guide to the best container scanning tools in 2026 — from open-source scanners like Trivy and Grype to cloud-context platforms like Wiz and Aqua — with clear guidance on which fits your CI/CD pipeline, registry, and runtime.
OWASP Top 10 vulnerabilities explained
A breakdown of all 10 OWASP Top 10 categories with real CVEs (Log4Shell, Equifax, Heartbleed) mapped to each, and stats on which risks hit production most.
Container Security for the Software Supply Chain
Container scanning means more than SCA: OS layers, secrets, and provenance matter too. See the gaps in SCA-first tools and how Safeguard closes them.
Implementing the OWASP Top 10 Proactive Controls
A field guide to the OWASP Top 10 Proactive Controls: what each control requires, real breach examples like Equifax, and how to implement them in CI/CD.