Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

Supply Chain Attacks

Reconstructing the tj-actions/changed-files compromise

CVE-2025-30066 hit CISA's KEV list within 3 days: 23,000+ repos ran a poisoned GitHub Action that dumped CI secrets straight into public build logs.

Jul 9, 20266 min read
Best Practices

Verifying open source package provenance with SLSA and Sigstore

A maintainer account takeover hid a backdoor in xz-utils for years. SLSA provenance and Sigstore signing are how you catch the next one before it ships.

Jul 9, 20267 min read
Compliance

The 2026 SBOM compliance guide: where a software bill of materials is now required

SBOM requirements have spread from a single US executive order to regulations across sectors and continents. Here's a framework-by-framework map of where you need one in 2026.

Jul 8, 20265 min read
Buyer's Guides

The Best Software Supply Chain Security Platforms in 2026

Supply-chain security has grown from SCA into a platform category spanning SBOMs, build integrity, and malicious-package defense. This balanced guide compares Snyk, Sonatype, Chainguard, Endor Labs, Socket, and Safeguard.

Jul 8, 20266 min read
Cloud Security

Cloud-Native Supply Chain Security: From Source to Runtime

A stage-by-stage guide to securing the cloud-native software supply chain — source, dependencies, build, artifacts, and deploy — using SBOMs, SLSA provenance, signing, and admission policy.

Jul 8, 20265 min read
FAQ

SBOM Compliance Requirements FAQ: NTIA Elements, Formats, and Mandates

A precise FAQ on SBOM compliance in 2026 — the NTIA minimum elements, accepted formats, where SBOMs are actually mandated (federal, FDA, EU CRA), depth, VEX, and generation.

Jul 8, 20266 min read
AI Security

The supply-chain and IP risk hiding inside AI coding assistants

GitHub has disclosed that Copilot suggestions match training-set code verbatim about 1% of the time — and a class action over it is still being argued in 2026.

Jul 8, 20267 min read
Compliance & Frameworks

What AI Executive Orders Actually Mean for Enterprise Security Teams

The US revoked its AI safety EO in January 2025, but SBOM and evidence obligations under EO 14028 never went away — and the EU AI Act just got harder deadlines.

Jul 8, 20267 min read
Application Security

What to Evaluate in an ASPM Solution: A 2026 Buyer's Guide

Gartner named Application Security Posture Management a category in May 2023 — three years later, most RFPs still can't distinguish a real ASPM from a dashboard bolted onto old scanners.

Jul 8, 20268 min read
Application Security

Why asset inventory should come before AppSec tooling

Only 17% of organizations can inventory 95%+ of their assets, and 69% have been breached through one they didn't know existed — start with the map, not the scanner.

Jul 8, 20267 min read
Open Source Security

How to publish a secure Python package: signing, SBOMs, and trusted publishing

PyPI enforced two-factor authentication for all users on January 1, 2024 — but 2FA alone doesn't stop a stolen API token. Here's the full secure-publishing stack.

Jul 8, 20267 min read
Best Practices

The code-to-cloud AppSec checklist: unifying code, dependency, container, and config security

Log4Shell and the XZ Utils backdoor both proved the same thing: a flaw in one layer is only as contained as your weakest disconnected tool.

Jul 8, 20267 min read
sbom (Page 3) — Safeguard Blog