sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
974 articles
Best SBOM Generators Ranked by Accuracy 2026
Syft, Trivy, cdxgen, and Microsoft sbom-tool measured against known dependency ground truth across four ecosystems. The accuracy spread is wider than you think.
What is a Software License
A software license governs how open source code can be used, modified, and redistributed — and license conflicts now carry real contract-law risk, as the Vizio GPL case shows.
What is Open Source Software
Open source software now sits in 96% of codebases. Here's what OSS actually is, how licensing works, and where the real security risk hides.
AI Model Weights: Signing, Attestation, Provenance
Model weights are binaries with the privilege of code and the review of documents. Here is what signing, attestation, and provenance should actually look like.
SBOM Enrichment and Vulnerability Correlation: Turning Inventory into Intelligence
A raw SBOM is a parts list. An enriched SBOM is a risk assessment. Here's how to bridge the gap.
What is a Package Manager
Package managers like npm and pip automate dependency resolution — and have been the entry point for incidents from event-stream to the xz-utils backdoor.
What is npm Security
A concrete look at npm security: real 2025 supply chain attacks on chalk and debug, the Shai-Hulud worm, and how teams actually defend the npm dependency tree.
What is Maven Security
Maven security covers vulnerable dependencies, malicious plugins, and build-time risks in Java projects -- from Log4Shell to transitive dependency sprawl.
What is a Monorepo
A monorepo houses many projects in one repository. Learn how Google, Meta, and Microsoft use them, and the blast-radius risks security teams must manage.
What is Threat Detection
Threat detection means spotting active attacks before they succeed. See real dwell-time data, CVE examples, and detection metrics that matter.
What is Secure by Design
Secure by Design turns CISA's 2023 guidance and pledge into concrete practice: memory-safe code, no default passwords, and verifiable SBOMs over marketing claims.
VEX Integration: Griffin AI vs Mythos
VEX is how you turn a vulnerability list into an actionable work queue. Griffin AI ingests VEX documents as structured statements that filter findings at policy time. Mythos-class tools read them as advisory prose and lose the filtering entirely.