Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

974 articles

SBOM & Compliance

SBOM-Driven Vendor Onboarding: Procurement Blueprint

Procurement that asks for a PDF security questionnaire is buying paperwork. SBOM-driven onboarding turns vendor risk into queryable, comparable, and enforceable data.

Apr 3, 20266 min read
Software Supply Chain Security

What Are Malicious Packages

Malicious npm packages steal credentials, mine crypto, or wipe files. Learn how attackers plant them and how to detect and stop them fast.

Apr 3, 20267 min read
Software Supply Chain Security

Managing risk in the software supply chain

Chainguard hardens base images, but that's one slice of supply chain risk. Here's what SolarWinds, Log4Shell, and XZ Utils reveal about the gaps — and how to close them.

Apr 3, 20268 min read
Open Source Security

What Are Transitive Dependencies

Transitive dependencies are the packages your code never directly imports but inherits anyway — and where 84% of open source CVEs actually live.

Apr 3, 20266 min read
Open Source Security

Direct vs Transitive Dependencies

Most known vulnerabilities live in transitive dependencies, not the ones in your manifest. Here's how to tell them apart and prioritize what's exploitable.

Apr 3, 20267 min read
Open Source Security

Open Source License Compliance

Redis, Elasticsearch, and Terraform all changed licenses in the last three years. Here's how license compliance actually breaks, and how to catch it before you ship.

Apr 3, 20267 min read
Vulnerability Management

A guide to modern vulnerability scanning

Scanners disagree, CVE volume is exploding, and hardened base images solve only one layer. Here's how modern vulnerability scanning actually works — and where prioritization beats raw CVE counts.

Apr 3, 20268 min read
Open Source Security

Types of Open Source Licenses

A breakdown of permissive, copyleft, and source-available license types—MIT, GPL, AGPL, SSPL—and why misclassified licenses create hidden supply chain risk.

Apr 2, 20267 min read
Software Supply Chain Security

Software supply chain security: threat vectors & solutions

Real incidents, real numbers: how modern software supply chain threat vectors work, why SBOMs alone don't stop them, and what actually closes the gap.

Apr 2, 20268 min read
Open Source Security

Copyleft vs Permissive Licenses

Copyleft and permissive licenses trigger different legal obligations. Here's how GPL, AGPL, MIT, and Apache 2.0 actually differ — with real lawsuits and relicensing cases.

Apr 2, 20267 min read
Vulnerability Management

Streamlining the vulnerability management lifecycle

Most teams find CVEs fast but fix them slowly. Here's why the vulnerability management lifecycle breaks down after scanning — and how to close the gap.

Apr 2, 20267 min read
Open Source Security

Software Dependencies: How to Manage Them at Scale

Most apps run 10-20x more dependencies than engineers chose. Here's how reachability analysis and automation manage that risk at scale.

Apr 2, 20266 min read
sbom (Page 34) — Safeguard Blog