Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

AI Security

Secure AI-Assisted Development: A Best-Practices Guide

Samsung banned ChatGPT company-wide in May 2023 after engineers pasted proprietary source code into it three times in 20 days. Here's how to adopt AI coding assistants without repeating that mistake.

Jul 8, 20266 min read
AI Security

Securing LLM and Model Supply Chains

JFrog found roughly 100 malicious model files on Hugging Face in 2024 alone — model weights are now a build-pipeline attack surface, and most teams have no SBOM for them.

Jul 8, 20266 min read
Supply Chain Security

Securing SBOM storage and distribution in cloud environments

GitGuardian found 23.77 million secrets exposed on public GitHub in 2024 alone — an unprotected SBOM repository is the same mistake, just with your dependency tree instead.

Jul 8, 20267 min read
Supply Chain Security

When the Security Tool Is the Backdoor

CCleaner, tj-actions, and ua-parser-js show the same pattern: trusted tools with CI access became the attack, hitting 2.27M+ users and 23,000+ repos.

Jul 8, 20266 min read
DevSecOps

Why semantic versioning and release channels matter for security tools

A backdoor sat in xz-utils 5.6.0 and 5.6.1 for weeks before Andres Freund caught it — stable distro channels, not luck, kept it out of most production systems.

Jul 8, 20266 min read
Supply Chain Security

A vendor-neutral framework for software supply chain security tools

Supply chain tooling splits into four distinct categories with different failure modes — the xz-utils backdoor slipped past most of them for over two years.

Jul 8, 20266 min read
Supply Chain Security

Software supply chain attacks in 2026: what's actually changed

A single compromised maintainer token in March 2025 exposed secrets across 23,000+ repositories — supply chain attacks now target the pipeline, not just the package.

Jul 8, 20266 min read
Supply Chain Attacks

Anatomy of the XZ Utils backdoor: how CVE-2024-3094 nearly compromised SSH on every major Linux distro

A CVSS 10.0 backdoor sat in xz 5.6.0 and 5.6.1 for weeks, hidden in a test file, until 0.5 seconds of extra SSH login latency gave it away.

Jul 8, 20266 min read
Buyer's Guides

The Best Open Source Security Tools in 2026

You can build a capable security program from free tools. This balanced guide compares Trivy, Grype and Syft, OSV-Scanner, OWASP Dependency-Check, and Dependency-Track — and is honest about when a commercial platform earns its cost.

Jul 7, 20266 min read
Buyer's Guides

JFrog Xray Alternatives in 2026: An Honest Buyer's Guide

A balanced comparison of the top JFrog Xray alternatives in 2026 — Snyk, Sonatype, Mend, Trivy, Anchore, and Safeguard — with candid pros, cons, and a way to choose.

Jul 7, 20266 min read
Container Security

Kubernetes Supply Chain Security: Trusting What You Deploy

The path from a git commit to a running pod crosses a dozen systems, each a place to inject malicious code. Here is how to build a chain of custody Kubernetes will actually verify.

Jul 7, 20265 min read
AI Security

What Is an AIBOM (AI Bill of Materials)? A 2026 Primer

An SBOM tells you what code you ship. An AIBOM answers the question that has no good answer today: what models, datasets, and prompts is our AI actually built on — and where did they come from?

Jul 7, 20265 min read
sbom (Page 5) — Safeguard Blog