sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
How Snyk AI-BOM discovers agents, tools, models, and data...
How Snyk AI-BOM's static analysis engine discovers agents, tools, models, datasets, and MCP servers hiding in code, even without a manifest file.
How Snyk AI-BOM generates a CycloneDX v1.6-compliant ML-BOM
How Snyk's aibom CLI uses static analysis to detect models, agents, and MCP servers, then maps them into a CycloneDX v1.6-compliant ML-BOM structure.
How Snyk AI-BOM's continuous refresh model differs from a...
How Snyk's AI-BOM keeps model and dataset inventories current through continuous refresh, and why that differs mechanically from a point-in-time static SBOM export.
How Snyk AI-BOM surfaces shadow AI usage that security te...
How Snyk's AI-BOM uses code-level analysis, not manifest parsing, to surface shadow AI models, agent frameworks, and MCP servers security teams don't know are running.
How Snyk's AI-BOM API lets teams query AI component inven...
How Snyk's AI-BOM API exposes AI model and dataset inventories as queryable, CycloneDX-aligned data teams can pull into CI, GRC, and asset tooling programmatically.
How Snyk AI-BOM's --html flag visualizes AI dependency an...
How Snyk's snyk aibom --html flag turns CycloneDX AI-BOM data into an interactive graph of models, agents, tools, and MCP client-server-tool dependency chains.
How Snyk detects AI/ML-specific libraries during standard...
Snyk's standard SCA treats AI/ML packages like any other dependency, while a separate AI-BOM tool adds static analysis to detect models, agents, and MCP connections.
Why Transitive Dependencies Are the Blind Spot in Most Vu...
Most vulnerability scans stop at direct dependencies, missing the 70-80% of your codebase that arrives transitively — where Log4Shell and other major CVEs actually hid.
How Dependency Graphs Reveal Hidden Supply Chain Risk
Dependency graph analysis reveals which transitive packages can actually reach your code. From Log4Shell to the xz backdoor, see why flat scans miss what graphs catch.
License Compliance Debt: The Quiet Risk Growing Alongside...
Open source license debt is compounding as fast as CVE backlogs, but has no CVSS score, no patch, and no dashboard — until an audit, M&A deal, or lawsuit forces the issue.
The Long Tail of Abandoned Open Source Projects and Enter...
Abandoned open source packages sit quietly in enterprise SBOMs until a burned-out maintainer, a hijacked account, or a patient attacker turns them into the next supply chain incident.
Monorepo vs Polyrepo: How Architecture Choices Shape Supp...
Monorepos and polyrepos don't just shape build times — they shape blast radius, patch speed, and dependency visibility. Here's how each affects supply chain risk.