Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

Concepts

What Is a Package URL (purl)?

A Package URL, or purl, is a standardized string that identifies a software package across any ecosystem. Here's how its structure works and why SBOMs and vulnerability feeds depend on it.

Jul 7, 20266 min read
Open Source Security

Managing Open Source Component Risk at Scale

A modern app's dozen direct dependencies can resolve into thousands of transitive packages — and CVE-2024-3094 proved a single unmaintained one is enough to backdoor SSH itself.

Jul 7, 20268 min read
DevSecOps

Software Composition Analysis Best Practices for Engineering Teams

CVE-2017-5638 was patched by Apache in March 2017, two months before Equifax was breached through it. Point-in-time SCA scans miss exactly this kind of drift.

Jul 7, 20267 min read
Buyer's Guides

Best License Compliance Tools in 2026: An Honest Buyer's Guide

A balanced 2026 comparison of the leading open-source license compliance tools — FOSSA, Black Duck, Mend, Snyk, and the ScanCode/FOSSology open-source stack — with an honest look at where Safeguard fits.

Jul 6, 20266 min read
Security Guides

JVM Supply Chain Security: Securing the Path from Source to Artifact

Your JVM supply chain spans repositories, build tools, plugins, and artifacts. Here's how to secure each link — from dependency confusion to artifact signing.

Jul 6, 20265 min read
Solutions

Software Supply Chain Security for Automotive

UNECE R155 and R156, ISO/SAE 21434, and OEM SBOM flow-down have made the software supply chain a type-approval issue for vehicles. Here is what OEMs and suppliers need to build into their programs.

Jul 6, 20266 min read
Buyer's Guides

Trivy vs Grype: A Neutral Open-Source Scanner Comparison for 2026

Trivy and Grype are both free, open-source vulnerability scanners loved by engineers, but they differ in scope and philosophy. An honest side-by-side, plus where a managed third option fits.

Jul 6, 20266 min read
Software Supply Chain Security

The SolarWinds Orion supply chain attack explained

How SUNBURST hid inside a signed SolarWinds Orion update, hit 18,000 organizations, and reshaped supply chain security.

Jul 6, 20267 min read
Buyer's Guides

Snyk vs Wiz: Which Platform Fits Your AppSec Needs

Snyk scans code and dependencies, Wiz scans cloud posture — but neither verifies build provenance. Here's where Safeguard fits in the AppSec stack.

Jul 6, 20267 min read
Software Supply Chain Security

The Codecov Bash uploader breach

How a Docker image flaw let attackers tamper with Codecov's Bash Uploader for 65 days, exfiltrating CI secrets from HashiCorp, Twilio, and more.

Jul 6, 20267 min read
Buyer's Guides

Snyk vs Black Duck (Synopsys) Comparison

Snyk vs Black Duck comparison for security buyers: how the two SCA platforms differ on workflow, coverage, and compliance — and where Safeguard fits.

Jul 6, 20268 min read
Software Supply Chain Security

3CX DesktopApp supply chain compromise

How North Korea-linked hackers turned a signed, trusted 3CX VoIP installer into malware — and the double supply chain attack that made it possible.

Jul 6, 20266 min read
sbom (Page 6) — Safeguard Blog