sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
What Is a Package URL (purl)?
A Package URL, or purl, is a standardized string that identifies a software package across any ecosystem. Here's how its structure works and why SBOMs and vulnerability feeds depend on it.
Managing Open Source Component Risk at Scale
A modern app's dozen direct dependencies can resolve into thousands of transitive packages — and CVE-2024-3094 proved a single unmaintained one is enough to backdoor SSH itself.
Software Composition Analysis Best Practices for Engineering Teams
CVE-2017-5638 was patched by Apache in March 2017, two months before Equifax was breached through it. Point-in-time SCA scans miss exactly this kind of drift.
Best License Compliance Tools in 2026: An Honest Buyer's Guide
A balanced 2026 comparison of the leading open-source license compliance tools — FOSSA, Black Duck, Mend, Snyk, and the ScanCode/FOSSology open-source stack — with an honest look at where Safeguard fits.
JVM Supply Chain Security: Securing the Path from Source to Artifact
Your JVM supply chain spans repositories, build tools, plugins, and artifacts. Here's how to secure each link — from dependency confusion to artifact signing.
Software Supply Chain Security for Automotive
UNECE R155 and R156, ISO/SAE 21434, and OEM SBOM flow-down have made the software supply chain a type-approval issue for vehicles. Here is what OEMs and suppliers need to build into their programs.
Trivy vs Grype: A Neutral Open-Source Scanner Comparison for 2026
Trivy and Grype are both free, open-source vulnerability scanners loved by engineers, but they differ in scope and philosophy. An honest side-by-side, plus where a managed third option fits.
The SolarWinds Orion supply chain attack explained
How SUNBURST hid inside a signed SolarWinds Orion update, hit 18,000 organizations, and reshaped supply chain security.
Snyk vs Wiz: Which Platform Fits Your AppSec Needs
Snyk scans code and dependencies, Wiz scans cloud posture — but neither verifies build provenance. Here's where Safeguard fits in the AppSec stack.
The Codecov Bash uploader breach
How a Docker image flaw let attackers tamper with Codecov's Bash Uploader for 65 days, exfiltrating CI secrets from HashiCorp, Twilio, and more.
Snyk vs Black Duck (Synopsys) Comparison
Snyk vs Black Duck comparison for security buyers: how the two SCA platforms differ on workflow, coverage, and compliance — and where Safeguard fits.
3CX DesktopApp supply chain compromise
How North Korea-linked hackers turned a signed, trusted 3CX VoIP installer into malware — and the double supply chain attack that made it possible.