Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

Container Security

Minimal container images with ko: evaluating distroless Go builds

ko builds Go containers straight from source onto a shell-less distroless base with no Dockerfile — cutting attack surface, and debugging tools, at once.

Jul 12, 20267 min read
Supply Chain Security

The C++ supply chain has no npm — and that's the risk

C++ has no single package registry like npm or PyPI, so vendored code hides provenance — the XZ Utils backdoor (CVE-2024-3094, CVSS 10.0) shows the cost.

Jul 11, 20266 min read
Supply Chain Security

CI/CD pipeline hardening against supply chain attacks

23,000+ repos were exposed when tj-actions/changed-files was compromised in March 2025 — pinned SHAs and OIDC would have stopped it cold.

Jul 10, 20267 min read
Container Security

A Practical Container Security Checklist: From Base Image to Runtime

Standard Docker Hub images ship 50-60 known CVEs on average. Here's the checklist that gets containers from base image to runtime without carrying them along.

Jul 10, 20266 min read
Compliance & Frameworks

FedRAMP Moderate: What It Actually Requires From Your Security Architecture

FedRAMP Moderate maps to roughly 300 NIST 800-53 controls — and FedRAMP 20x is now replacing the old triennial paperwork cycle with continuous evidence.

Jul 10, 20267 min read
Compliance & Frameworks

What healthtech AppSec needs beyond generic security practices

242.9 million records were exposed in 2024 HIPAA breaches. Generic AppSec checklists don't satisfy FDA premarket SBOM rules or a pending HIPAA rewrite.

Jul 10, 20266 min read
Kubernetes Security

Container and Kubernetes scanning in agent-driven DevOps, without new trust boundaries

Autonomous agents that rebuild and redeploy containers can patch a CVE in under an hour — or become a new privileged path to production if scanning isn't gated.

Jul 10, 20267 min read
Open Source Security

Building an Open-Source License Compliance Program That Flags Copyleft Risk in CI

Software Freedom Conservancy's suit against Vizio is headed to trial in August 2026 — proof that copyleft violations are litigated, not theoretical.

Jul 10, 20266 min read
Supply Chain Attacks

Anatomy of a Software Supply-Chain Worm: A Post-Mortem Framework

500+ npm packages backdoored in days, then 796 more two months later. A repeatable post-mortem framework for self-propagating open-source worms.

Jul 9, 20266 min read
Compliance & Frameworks

A Practical Guide to EU Cyber Resilience Act Compliance

The CRA's 24-hour vulnerability reporting clock starts 11 September 2026. Here's how to build the SDLC changes now instead of scrambling later.

Jul 9, 20266 min read
DevSecOps

Hardening CI/CD Against a Compromised Upstream Registry

The Sept 2025 npm attack hit packages with 2B weekly downloads in 2 hours. Pinning, lockfile checks, and mirrors would have stopped it cold.

Jul 9, 20265 min read
Vulnerability Management

SBOM-based blast radius analysis for vulnerable dependencies

An SBOM tells you what's inside one artifact. It takes a dependency graph across every service to know what breaks first when a library gets a CVE.

Jul 9, 20266 min read
sbom (Page 2) — Safeguard Blog