Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

974 articles

Compliance

Open Source License Management: Tools and Workflow

A practical breakdown of how mature engineering teams do license management open source style: scanning dependency trees, classifying license risk, and building a workflow that does not slow releases down.

Feb 11, 20266 min read
Containers

OSS Container Security: What Changes With Open-Source Base Images

Open-source base images change your patch cadence, your license exposure, and your provenance story — here's what OSS container security actually adds on top of standard image hardening.

Feb 11, 20265 min read
Compliance

EU Cyber Resilience Act Enforcement Timeline 2026

The EU Cyber Resilience Act is already biting in 2026. Here is the enforcement timeline manufacturers, integrators, and open source stewards need to internalize now.

Feb 11, 20268 min read
Supply Chain

Open Source Vulnerability Management Tools, Compared

OSV-Scanner, Trivy, Grype, and Dependency-Check all find known CVEs for free, but they differ sharply in language coverage, database freshness, and how far they get you toward an actual fix.

Feb 11, 20266 min read
SBOM

OpenVEX vs. CycloneDX VEX: Which to Pick

A direct comparison of OpenVEX and CycloneDX VEX in 2026, covering spec differences, tooling support, and the operational tradeoffs that actually affect your choice.

Feb 11, 20266 min read
Vulnerability Analysis

The SolarWinds Supply Chain Attack Explained

How Russian intelligence hijacked SolarWinds' build system to backdoor Orion updates for 18,000 customers, and what security teams must do now.

Feb 11, 20267 min read
Vulnerability Analysis

The Shai-Hulud npm Supply Chain Attack Explained

How the Shai-Hulud worm turned compromised npm maintainer tokens into a self-replicating supply chain attack, and how to detect and remediate it.

Feb 11, 20268 min read
DevSecOps

How to set up a CI/CD pipeline security gate

A practical, step-by-step guide to building a CI/CD pipeline security gate that scans, enforces vulnerability thresholds, and blocks risky builds without slowing developers down.

Feb 11, 20268 min read
Vulnerability Analysis

The event-stream npm Attack Explained

In 2018, a hijacked npm maintainer account turned event-stream into a supply chain weapon against crypto wallets. Here's the full CVE-style breakdown.

Feb 10, 20267 min read
Vulnerability Analysis

The Codecov Supply Chain Attack Explained

A breakdown of the 2021 Codecov breach: how the Bash Uploader was compromised, what CI secrets were exposed, and the remediation steps teams need now.

Feb 10, 20268 min read
Industry Analysis

RSA Conference 2026: Supply Chain Themes

RSA Conference 2026 centered on AI governance, software supply chain regulation, and vendor consolidation. Here is the analyst view of what mattered.

Feb 9, 20268 min read
Vulnerability Analysis

The left-pad npm Incident Explained

No CVE, no CVSS — just one unpublished package that broke the internet's build pipelines. Here's what left-pad still teaches security teams.

Feb 9, 20268 min read
sbom (Page 50) — Safeguard Blog