sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
974 articles
How to Respond When a CVE Drops in a Package You Ship
A working playbook for the day a CVE lands in your dependency tree: confirm exposure with SBOM queries, judge real exploitability, patch or mitigate, then prove it and publish VEX.
How to Generate an SBOM with GitHub Actions (2026)
SBOMs are a compliance table-stakes artifact in 2026. Here is a production GitHub Actions workflow that generates, signs, and attests a CycloneDX SBOM on every release.
What is Code Signing
Code signing proves who published software and that it wasn't tampered with — but SolarWinds, CCleaner, and 3CX show signed doesn't mean safe.
What is the SLSA Framework
SLSA defines four build integrity levels to stop supply chain tampering. Learn what each level requires, who's adopting it, and its real limits.
Best compliance management software/tools
Sprinto automates org-wide compliance evidence; Safeguard proves what's inside your software. Here's how the two approaches differ on verifiable ground.
What is In-toto Attestation
In-toto attestation is a signed, verifiable record of how software was built. Here's how the format works, how it differs from an SBOM, and where it's used today.
SIEM tools comparison
Sprinto automates compliance evidence; Safeguard secures the software supply chain. Neither is a true SIEM — here's how to tell which problem you actually have.
What is Sigstore
Sigstore lets projects sign software with short-lived, identity-bound certificates instead of long-lived keys. Here's how Fulcio, Rekor, and Cosign actually work.
Software Supply Chain Security Market Map 2026
A senior-analyst market map of software supply chain security in 2026: the vendor categories that consolidated, the ones that splintered, and where the budget actually lands.
Vulnerability management and scanning tools
Sprinto automates compliance evidence collection; Safeguard scans code, dependencies, and containers directly. Here's how the two actually differ on vulnerability management.
Tracking Vendor-Supplied Binaries In Your Runtime
Vendor binaries run as root and ship without SBOMs. Continuous discovery brings them under the same governance as your own code.
What is Software Provenance
Software provenance proves where an artifact came from and how it was built. Learn what it is, why it matters, and how to verify it with SLSA and Sigstore.