sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Secure AI-Assisted Development: A Best-Practices Guide
Samsung banned ChatGPT company-wide in May 2023 after engineers pasted proprietary source code into it three times in 20 days. Here's how to adopt AI coding assistants without repeating that mistake.
Securing LLM and Model Supply Chains
JFrog found roughly 100 malicious model files on Hugging Face in 2024 alone — model weights are now a build-pipeline attack surface, and most teams have no SBOM for them.
Securing SBOM storage and distribution in cloud environments
GitGuardian found 23.77 million secrets exposed on public GitHub in 2024 alone — an unprotected SBOM repository is the same mistake, just with your dependency tree instead.
When the Security Tool Is the Backdoor
CCleaner, tj-actions, and ua-parser-js show the same pattern: trusted tools with CI access became the attack, hitting 2.27M+ users and 23,000+ repos.
Why semantic versioning and release channels matter for security tools
A backdoor sat in xz-utils 5.6.0 and 5.6.1 for weeks before Andres Freund caught it — stable distro channels, not luck, kept it out of most production systems.
A vendor-neutral framework for software supply chain security tools
Supply chain tooling splits into four distinct categories with different failure modes — the xz-utils backdoor slipped past most of them for over two years.
Software supply chain attacks in 2026: what's actually changed
A single compromised maintainer token in March 2025 exposed secrets across 23,000+ repositories — supply chain attacks now target the pipeline, not just the package.
Anatomy of the XZ Utils backdoor: how CVE-2024-3094 nearly compromised SSH on every major Linux distro
A CVSS 10.0 backdoor sat in xz 5.6.0 and 5.6.1 for weeks, hidden in a test file, until 0.5 seconds of extra SSH login latency gave it away.
The Best Open Source Security Tools in 2026
You can build a capable security program from free tools. This balanced guide compares Trivy, Grype and Syft, OSV-Scanner, OWASP Dependency-Check, and Dependency-Track — and is honest about when a commercial platform earns its cost.
JFrog Xray Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the top JFrog Xray alternatives in 2026 — Snyk, Sonatype, Mend, Trivy, Anchore, and Safeguard — with candid pros, cons, and a way to choose.
Kubernetes Supply Chain Security: Trusting What You Deploy
The path from a git commit to a running pod crosses a dozen systems, each a place to inject malicious code. Here is how to build a chain of custody Kubernetes will actually verify.
What Is an AIBOM (AI Bill of Materials)? A 2026 Primer
An SBOM tells you what code you ship. An AIBOM answers the question that has no good answer today: what models, datasets, and prompts is our AI actually built on — and where did they come from?