Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

Container Security

Scanning Docker Images in CI/CD Pipelines

Scanning a container after it deploys is an incident report. Scanning it in the pipeline is a one-line diff. Here is how to gate builds on image scans without drowning developers in false positives.

Jul 4, 20265 min read
Solutions

Software Supply Chain Security for Startups

For a startup, supply chain security is less about compliance mandates and more about closing enterprise deals and surviving the incident that could end you. Here is how to get it right with a small team.

Jul 4, 20265 min read
Solutions

Software Supply Chain Security for Compliance Officers

For compliance officers, supply chain security is an evidence problem before it is a technical one. Here is how to map controls to frameworks, keep evidence current, and pass an audit without turning your engineers into a documentation team.

Jul 4, 20266 min read
Open Source Security

Software Composition Analysis (SCA) Explained

SCA finds every open-source package in your app — but knowing it's there isn't knowing it's exploitable. Here's what Log4Shell, xz, and Snyk's approach got right and wrong.

Jul 4, 20267 min read
Software Supply Chain Security

The Shai-Hulud npm worm campaign

A self-replicating npm worm hit 500+ packages in September 2025 and 796 more in November — here's how Shai-Hulud actually spread, stole secrets, and what stops it.

Jul 4, 20267 min read
Software Supply Chain Security

SHA1-Hulud second-wave npm supply chain incident

Shai-Hulud's November 2025 second wave hit npm via a Bun-based worm, stealing cloud creds and re-publishing trojanized packages at scale.

Jul 4, 20267 min read
Software Supply Chain Security

Mini Shai-Hulud hits TanStack npm packages

TeamPCP's Mini Shai-Hulud worm hijacked 42 TanStack npm packages via stolen GitHub OIDC tokens, spreading to 169 packages with valid SLSA attestations.

Jul 4, 20267 min read
Security Guides

Securing the Go Modules Supply Chain: Proxy, Checksums, and Provenance End to End

The Go module system ships with a tamper-evident checksum log and a public proxy most teams never configure deliberately. Here's how to turn those defaults into a real supply-chain control plane.

Jul 3, 20266 min read
FAQ

EU Cyber Resilience Act FAQ: Timelines, SBOMs, and Reporting Duties

A precise FAQ on the EU Cyber Resilience Act in 2026 — what it covers, the phased 2026 and 2027 deadlines, the SBOM requirement, 24-hour vulnerability reporting, risk classes, and penalties.

Jul 3, 20266 min read
Compliance

FedRAMP and the software supply chain: a 2026 guide

FedRAMP authorization increasingly hinges on how you secure your software supply chain. Here's how the SR control family, SBOMs, and SSDF attestation fit together.

Jul 3, 20265 min read
Tutorials

How to Read an SBOM

An SBOM is a list of everything inside your software. This beginner guide shows you how to open one, understand each field, and turn it into something useful.

Jul 3, 20266 min read
Software Supply Chain Security

Mini Shai-Hulud AntV npm packages compromise

A compromised npm maintainer account pushed 639 malicious @antv package versions in 10 minutes, stealing CI/CD secrets via a fake OpenTelemetry channel.

Jul 3, 20267 min read
sbom (Page 8) — Safeguard Blog