sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Shadow Risks: Unmanaged and Unauthorized Dependencies
Shadow dependencies risk management is now core to SBOM strategy. See how unmanaged, unauthorized open source packages cause breaches Sonatype-style scans miss.
Best SCA Tools in 2026: Software Composition Analysis Compared
An honest comparison of the best SCA tools in 2026 — Snyk, Endor Labs, Socket, Mend, Sonatype, JFrog, Trivy, and Safeguard — covering reachability analysis, malicious-package detection, SBOM/AIBOM, and remediation, with a clear best-for line for each.
What Are AI Bills of Materials (AIBOMs)
What is an AI Bill of Materials (AIBOM), why do SBOM tools like Sonatype fall short on AI components, and how do teams build one in 2025.
What is SCA? Software Composition Analysis explained
SCA scans your open-source dependencies for known vulnerabilities and license risk. Here's what it checks, how it differs from SAST, and why reachability matters.
What Is SLSA (Supply-chain Levels for Software Artifacts)
SLSA verifies how software was built, not just what is inside it. Here is what the four build levels mean and how it differs from SBOM-only tooling.
What Is Shift Left Security
Shift left security moves scanning earlier in the SDLC. Here's what it means, how Sonatype approaches it, where it falls short, and how Safeguard closes the gap.
When is a CVE not a CVE?
Not all CVEs are equal: NVD's 2024 backlog, disputed curl CVEs, and duplicate OpenSSL bugs show why CVE quality varies wildly.
What Is Post-Quantum Cryptography (for software supply ch...
Quantum computers will eventually break RSA and ECDSA. Here's what NIST's 2024 PQC standards, CNSA 2.0 deadlines, and "harvest now, decrypt later" mean for signed software supply chains.
What Is Perimeter Protection in Application Security
Perimeter protection screens packages at the gate — but xz-utils, SolarWinds, and event-stream all slipped past firewalls. Here's what it catches, and what it misses.
Snyk Alternatives in 2026: 8 Options Compared
An honest, opinionated guide to the best Snyk alternatives in 2026 — Endor Labs, Socket, Mend, Aikido, Semgrep, Sonatype, Trivy, and Safeguard — with a fair blurb and a 'best for' line for each, plus where reachability and remediation actually matter.
The CWE Top 25 most dangerous software weaknesses
MITRE's 2023 CWE Top 25 ranks the software weaknesses behind 43,996 CVEs. Here's how it's scored, what moved, and how to prioritize fixes.
DevOps vs DevSecOps: what actually changes when you add s...
DevOps vs DevSecOps isn't a mindset shift — it's specific new artifacts, gates, and ownership. Here's what changes, contrasted with JFrog's artifact-first model.