Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

SBOM

Shadow Risks: Unmanaged and Unauthorized Dependencies

Shadow dependencies risk management is now core to SBOM strategy. See how unmanaged, unauthorized open source packages cause breaches Sonatype-style scans miss.

Jun 4, 20268 min read
Buyer's Guides

Best SCA Tools in 2026: Software Composition Analysis Compared

An honest comparison of the best SCA tools in 2026 — Snyk, Endor Labs, Socket, Mend, Sonatype, JFrog, Trivy, and Safeguard — covering reachability analysis, malicious-package detection, SBOM/AIBOM, and remediation, with a clear best-for line for each.

Jun 3, 20268 min read
AI Security

What Are AI Bills of Materials (AIBOMs)

What is an AI Bill of Materials (AIBOM), why do SBOM tools like Sonatype fall short on AI components, and how do teams build one in 2025.

Jun 3, 20268 min read
Open Source Security

What is SCA? Software Composition Analysis explained

SCA scans your open-source dependencies for known vulnerabilities and license risk. Here's what it checks, how it differs from SAST, and why reachability matters.

Jun 3, 20266 min read
SBOM

What Is SLSA (Supply-chain Levels for Software Artifacts)

SLSA verifies how software was built, not just what is inside it. Here is what the four build levels mean and how it differs from SBOM-only tooling.

Jun 2, 20268 min read
Industry Analysis

What Is Shift Left Security

Shift left security moves scanning earlier in the SDLC. Here's what it means, how Sonatype approaches it, where it falls short, and how Safeguard closes the gap.

Jun 2, 20267 min read
Vulnerability Analysis

When is a CVE not a CVE?

Not all CVEs are equal: NVD's 2024 backlog, disputed curl CVEs, and duplicate OpenSSL bugs show why CVE quality varies wildly.

Jun 2, 20266 min read
Threat Intelligence

What Is Post-Quantum Cryptography (for software supply ch...

Quantum computers will eventually break RSA and ECDSA. Here's what NIST's 2024 PQC standards, CNSA 2.0 deadlines, and "harvest now, decrypt later" mean for signed software supply chains.

Jun 2, 20267 min read
Application Security

What Is Perimeter Protection in Application Security

Perimeter protection screens packages at the gate — but xz-utils, SolarWinds, and event-stream all slipped past firewalls. Here's what it catches, and what it misses.

Jun 2, 20267 min read
Buyer's Guides

Snyk Alternatives in 2026: 8 Options Compared

An honest, opinionated guide to the best Snyk alternatives in 2026 — Endor Labs, Socket, Mend, Aikido, Semgrep, Sonatype, Trivy, and Safeguard — with a fair blurb and a 'best for' line for each, plus where reachability and remediation actually matter.

Jun 1, 20268 min read
Vulnerability Analysis

The CWE Top 25 most dangerous software weaknesses

MITRE's 2023 CWE Top 25 ranks the software weaknesses behind 43,996 CVEs. Here's how it's scored, what moved, and how to prioritize fixes.

Jun 1, 20266 min read
DevSecOps

DevOps vs DevSecOps: what actually changes when you add s...

DevOps vs DevSecOps isn't a mindset shift — it's specific new artifacts, gates, and ownership. Here's what changes, contrasted with JFrog's artifact-first model.

Jun 1, 20268 min read
sbom (Page 17) — Safeguard Blog