Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

974 articles

Tools

Best SBOM Generators Ranked by Accuracy 2026

Syft, Trivy, cdxgen, and Microsoft sbom-tool measured against known dependency ground truth across four ecosystems. The accuracy spread is wider than you think.

Feb 9, 20266 min read
Open Source Security

What is a Software License

A software license governs how open source code can be used, modified, and redistributed — and license conflicts now carry real contract-law risk, as the Vizio GPL case shows.

Feb 9, 20269 min read
Open Source Security

What is Open Source Software

Open source software now sits in 96% of codebases. Here's what OSS actually is, how licensing works, and where the real security risk hides.

Feb 9, 20268 min read
AI Security

AI Model Weights: Signing, Attestation, Provenance

Model weights are binaries with the privilege of code and the review of documents. Here is what signing, attestation, and provenance should actually look like.

Feb 8, 20267 min read
SBOM

SBOM Enrichment and Vulnerability Correlation: Turning Inventory into Intelligence

A raw SBOM is a parts list. An enriched SBOM is a risk assessment. Here's how to bridge the gap.

Feb 8, 20266 min read
Open Source Security

What is a Package Manager

Package managers like npm and pip automate dependency resolution — and have been the entry point for incidents from event-stream to the xz-utils backdoor.

Feb 8, 20267 min read
Open Source Security

What is npm Security

A concrete look at npm security: real 2025 supply chain attacks on chalk and debug, the Shai-Hulud worm, and how teams actually defend the npm dependency tree.

Feb 8, 20268 min read
Open Source Security

What is Maven Security

Maven security covers vulnerable dependencies, malicious plugins, and build-time risks in Java projects -- from Log4Shell to transitive dependency sprawl.

Feb 8, 20267 min read
DevSecOps

What is a Monorepo

A monorepo houses many projects in one repository. Learn how Google, Meta, and Microsoft use them, and the blast-radius risks security teams must manage.

Feb 7, 20266 min read
Best Practices

What is Threat Detection

Threat detection means spotting active attacks before they succeed. See real dwell-time data, CVE examples, and detection metrics that matter.

Feb 7, 20266 min read
Application Security

What is Secure by Design

Secure by Design turns CISA's 2023 guidance and pledge into concrete practice: memory-safe code, no default passwords, and verifiable SBOMs over marketing claims.

Feb 6, 20267 min read
AI Security

VEX Integration: Griffin AI vs Mythos

VEX is how you turn a vulnerability list into an actionable work queue. Griffin AI ingests VEX documents as structured statements that filter findings at policy time. Mythos-class tools read them as advisory prose and lose the filtering entirely.

Feb 5, 20267 min read
sbom (Page 51) — Safeguard Blog