sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Software Supply Chain Security Maturity: Where Does Your Organization Stand?
Most organizations know they should care about software supply chain security, but few have a structured way to assess their maturity. A practical framework for evaluating and improving your posture.
Vendoring Dependencies: When It Helps and When It Hurts Security
Committing dependencies to your repo buys immutability and availability — and quietly breaks scanners, updates, and license tracking. Here's the honest ledger.
Docker Image Scanning: How It Works and What It Finds
Scanners don't run your container — they unpack it. How docker image scanning inventories layers, matches CVEs, handles distro backports, and where it belongs in your pipeline.
SCA Code: What Composition Analysis Actually Reads in Your Repo
A concrete look at which files SCA tooling actually parses in a repository, how it builds a dependency tree, and why SCA is required even when your own code is clean.
SBOM Example: Reading a Real CycloneDX and SPDX Document
One component, two formats: a field-by-field walkthrough of a real CycloneDX and SPDX SBOM — purls, licenses, hashes, dependency graphs, and how to validate your own.
The SBOM Compliance Landscape in 2025: What You Need to Know
From the US Executive Order to the EU Cyber Resilience Act, SBOM requirements are becoming law. Here is where things stand in 2025 and what organizations need to do to comply.
SPDX 3.0.1: The Patch Release That Cleared ISO and OMG Submission
SPDX 3.0.1 was announced on December 27, 2024, bundling fixes from 3.0.0 implementation and the edits required for OMG SPDX/3.0 and ISO/IEC submission.
Safeguard 5.0: The Next Generation of Software Supply Chain Security
Safeguard 5.0 introduces Griffin AI, expanded SBOM analysis, and a redesigned policy engine. Here is what is new and why it matters for your security program.
Java SBOM Generation Tools Compared
Six tools generate SBOMs from Java projects. They disagree on transitive depth, license fields, and licensing of their own output. A head-to-head.
NYDFS 500 Meets SBOM Requirements
23 NYCRR Part 500 was amended in 2023 with stronger third-party and vulnerability management language. For covered financial entities, SBOM practice has quietly become a compliance expectation.
Zero Trust Principles Applied to the Software Supply Chain
Zero trust is not just a network architecture concept. Applied to the software supply chain, it fundamentally changes how organizations verify code, dependencies, and build processes.
The Software Composition Analysis Market in 2024: Consolidation and Evolution
The SCA market is maturing fast, with acquisitions, AI-powered analysis, and SBOM mandates reshaping the competitive landscape and what buyers should expect.