sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
974 articles
SBOM-Driven Vendor Onboarding: Procurement Blueprint
Procurement that asks for a PDF security questionnaire is buying paperwork. SBOM-driven onboarding turns vendor risk into queryable, comparable, and enforceable data.
What Are Malicious Packages
Malicious npm packages steal credentials, mine crypto, or wipe files. Learn how attackers plant them and how to detect and stop them fast.
Managing risk in the software supply chain
Chainguard hardens base images, but that's one slice of supply chain risk. Here's what SolarWinds, Log4Shell, and XZ Utils reveal about the gaps — and how to close them.
What Are Transitive Dependencies
Transitive dependencies are the packages your code never directly imports but inherits anyway — and where 84% of open source CVEs actually live.
Direct vs Transitive Dependencies
Most known vulnerabilities live in transitive dependencies, not the ones in your manifest. Here's how to tell them apart and prioritize what's exploitable.
Open Source License Compliance
Redis, Elasticsearch, and Terraform all changed licenses in the last three years. Here's how license compliance actually breaks, and how to catch it before you ship.
A guide to modern vulnerability scanning
Scanners disagree, CVE volume is exploding, and hardened base images solve only one layer. Here's how modern vulnerability scanning actually works — and where prioritization beats raw CVE counts.
Types of Open Source Licenses
A breakdown of permissive, copyleft, and source-available license types—MIT, GPL, AGPL, SSPL—and why misclassified licenses create hidden supply chain risk.
Software supply chain security: threat vectors & solutions
Real incidents, real numbers: how modern software supply chain threat vectors work, why SBOMs alone don't stop them, and what actually closes the gap.
Copyleft vs Permissive Licenses
Copyleft and permissive licenses trigger different legal obligations. Here's how GPL, AGPL, MIT, and Apache 2.0 actually differ — with real lawsuits and relicensing cases.
Streamlining the vulnerability management lifecycle
Most teams find CVEs fast but fix them slowly. Here's why the vulnerability management lifecycle breaks down after scanning — and how to close the gap.
Software Dependencies: How to Manage Them at Scale
Most apps run 10-20x more dependencies than engineers chose. Here's how reachability analysis and automation manage that risk at scale.