sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
How Snyk Container parses apk, deb, and rpm package datab...
How Snyk Container reads apk, dpkg, and rpm databases inside image layers to detect OS package vulnerabilities without ever running the container.
How image digest pinning strengthens container supply cha...
How SHA-256 image digests, unlike mutable tags, anchor Snyk container scans to the exact artifact that ships—and why that distinction matters for supply chain integrity.
Docker Image Labels: Metadata That Actually Matters
Docker image labels are free-form key-value metadata that, used well, drive SBOM generation, ownership tracing, and vulnerability triage — used poorly, they're just clutter in the Dockerfile.
How Snyk Open Source builds a full dependency tree from p...
How Snyk Open Source turns package-lock.json and yarn.lock files into a full dependency graph to power vulnerability matching and fix advice.
How Snyk resolves Maven and Gradle dependency graphs incl...
Snyk doesn't parse pom.xml or build.gradle statically -- it invokes real Maven and Gradle tooling to compute the exact dependency graph your build produces.
How Snyk Open Source scans Go modules and resolves the Go...
How Snyk Open Source reads go.mod/go.sum, builds the Go module dependency graph, and uses Minimal Version Selection to identify vulnerable versions.
Safeguard Desktop App: Supply Chain Security Without the Browser Tab
Announcing the Safeguard Desktop App -- a native application for macOS, Windows, and Linux that brings SBOM management, vulnerability tracking, and policy gates to your desktop.
How Snyk keeps its license classifications aligned with t...
How Snyk detects, normalizes, and categorizes open source license metadata against the SPDX License List to power its license compliance policies.
What is a Vulnerability Exploitability eXchange (VEX) Statement
A VEX statement is a machine-readable assertion of whether a product is actually affected by a CVE — the document that stops your customers from triaging your SBOM for you.
Container Image Security Tools, Compared
A container image security tool scans layers, packages, and configuration inside an image before and after it ships — here's how the major approaches differ and what actually matters when picking one.
How Snyk continuously monitors production dependencies fo...
A technical walkthrough of how Snyk's continuous monitoring uses dependency snapshots, vuln-DB updates, and priority scoring to flag newly disclosed CVEs in production.
Java Supply Chain Security Beyond Log4Shell
Log4Shell was the fire drill. The structural problems — unverified Maven resolution, invisible shaded jars, sprawling transitive graphs — are still there. Here's what to actually fix.