sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Executive Guide to Operationalizing AI Governance
A 2026 look at why AI governance policies keep failing in practice—and the five-pillar operating model executives are using to fix it.
A Tale of Two Scanners: Siloed Scanning vs AI-Powered Correlation
Siloed scanners flood teams with disconnected alerts. Here's why AI powered vulnerability correlation is becoming the industry's answer to alert fatigue.
CISA Secure by Design Pledge: Practical Impact
An engineer's assessment of what the CISA Secure by Design Pledge actually changed inside product teams, what it did not, and where the 2026 expectations are landing.
What is Vulnerability Remediation
Vulnerability remediation means fixing a flaw at its source, not just detecting it. Learn the workflow, real MTTR benchmarks, and prioritization.
What is Snyk Code (SAST Tool Category Overview)
Snyk Code explained: what it is, how its SAST engine works, its limits, category competitors, and where reachability closes the gap.
What is a Vulnerability Database
CVE, NVD, OSV, GHSA, KEV — vulnerability databases power every scanner's severity score. Here's how they're built, enriched, and where they fall short.
What is Software Supply Chain Risk Scoring
CVSS alone can't tell you what to fix first. Here's how supply chain risk scoring blends exploitability, reachability, and provenance into one actionable number.
What is a Malicious Commit / Compromised Maintainer Account
When an attacker steals a maintainer's credentials, every user of that package inherits the compromise. Here's how it happens and how to catch it.
Generating and exporting a software bill of materials in AWS
A practical walkthrough for generating and exporting an AWS SBOM using Inspector and ECR -- plus troubleshooting tips and how Safeguard helps.
XZ Utils backdoor discovery (CVE-2024-3094)
A deep dive into CVE-2024-3094, the XZ Utils backdoor: affected versions, CVSS/EPSS context, full attack timeline, and remediation steps.
CycloneDX ML-BOM in 1.7: Implementation Guide
CycloneDX 1.7 was published in October 2025 and adopted by the General Assembly in December. We unpack what the ML-BOM capability means in practice for AI inventory.
CycloneDX Support: Griffin AI vs Mythos
CycloneDX is not a text format to be summarized — it's a typed graph with dozens of semantically-rich fields. Griffin AI consumes it as a graph. Mythos-class tools consume it as tokens. That difference decides every downstream finding.