Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

Industry Analysis

How Snyk AI-BOM discovers agents, tools, models, and data...

How Snyk AI-BOM's static analysis engine discovers agents, tools, models, datasets, and MCP servers hiding in code, even without a manifest file.

Aug 21, 20258 min read
Industry Analysis

How Snyk AI-BOM generates a CycloneDX v1.6-compliant ML-BOM

How Snyk's aibom CLI uses static analysis to detect models, agents, and MCP servers, then maps them into a CycloneDX v1.6-compliant ML-BOM structure.

Aug 21, 20257 min read
SBOM

How Snyk AI-BOM's continuous refresh model differs from a...

How Snyk's AI-BOM keeps model and dataset inventories current through continuous refresh, and why that differs mechanically from a point-in-time static SBOM export.

Aug 20, 20258 min read
Industry Analysis

How Snyk AI-BOM surfaces shadow AI usage that security te...

How Snyk's AI-BOM uses code-level analysis, not manifest parsing, to surface shadow AI models, agent frameworks, and MCP servers security teams don't know are running.

Aug 20, 20257 min read
Industry Analysis

How Snyk's AI-BOM API lets teams query AI component inven...

How Snyk's AI-BOM API exposes AI model and dataset inventories as queryable, CycloneDX-aligned data teams can pull into CI, GRC, and asset tooling programmatically.

Aug 20, 20258 min read
Open Source Security

How Snyk AI-BOM's --html flag visualizes AI dependency an...

How Snyk's snyk aibom --html flag turns CycloneDX AI-BOM data into an interactive graph of models, agents, tools, and MCP client-server-tool dependency chains.

Aug 20, 20257 min read
Open Source Security

How Snyk detects AI/ML-specific libraries during standard...

Snyk's standard SCA treats AI/ML packages like any other dependency, while a separate AI-BOM tool adds static analysis to detect models, agents, and MCP connections.

Aug 19, 20257 min read
Open Source Security

Why Transitive Dependencies Are the Blind Spot in Most Vu...

Most vulnerability scans stop at direct dependencies, missing the 70-80% of your codebase that arrives transitively — where Log4Shell and other major CVEs actually hid.

Aug 13, 20257 min read
Open Source Security

How Dependency Graphs Reveal Hidden Supply Chain Risk

Dependency graph analysis reveals which transitive packages can actually reach your code. From Log4Shell to the xz backdoor, see why flat scans miss what graphs catch.

Aug 12, 20258 min read
Compliance

License Compliance Debt: The Quiet Risk Growing Alongside...

Open source license debt is compounding as fast as CVE backlogs, but has no CVSS score, no patch, and no dashboard — until an audit, M&A deal, or lawsuit forces the issue.

Aug 12, 20257 min read
Open Source Security

The Long Tail of Abandoned Open Source Projects and Enter...

Abandoned open source packages sit quietly in enterprise SBOMs until a burned-out maintainer, a hijacked account, or a patient attacker turns them into the next supply chain incident.

Aug 12, 20257 min read
Open Source Security

Monorepo vs Polyrepo: How Architecture Choices Shape Supp...

Monorepos and polyrepos don't just shape build times — they shape blast radius, patch speed, and dependency visibility. Here's how each affects supply chain risk.

Aug 11, 20257 min read
sbom (Page 69) — Safeguard Blog