sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Scanning Docker Images in CI/CD Pipelines
Scanning a container after it deploys is an incident report. Scanning it in the pipeline is a one-line diff. Here is how to gate builds on image scans without drowning developers in false positives.
Software Supply Chain Security for Startups
For a startup, supply chain security is less about compliance mandates and more about closing enterprise deals and surviving the incident that could end you. Here is how to get it right with a small team.
Software Supply Chain Security for Compliance Officers
For compliance officers, supply chain security is an evidence problem before it is a technical one. Here is how to map controls to frameworks, keep evidence current, and pass an audit without turning your engineers into a documentation team.
Software Composition Analysis (SCA) Explained
SCA finds every open-source package in your app — but knowing it's there isn't knowing it's exploitable. Here's what Log4Shell, xz, and Snyk's approach got right and wrong.
The Shai-Hulud npm worm campaign
A self-replicating npm worm hit 500+ packages in September 2025 and 796 more in November — here's how Shai-Hulud actually spread, stole secrets, and what stops it.
SHA1-Hulud second-wave npm supply chain incident
Shai-Hulud's November 2025 second wave hit npm via a Bun-based worm, stealing cloud creds and re-publishing trojanized packages at scale.
Mini Shai-Hulud hits TanStack npm packages
TeamPCP's Mini Shai-Hulud worm hijacked 42 TanStack npm packages via stolen GitHub OIDC tokens, spreading to 169 packages with valid SLSA attestations.
Securing the Go Modules Supply Chain: Proxy, Checksums, and Provenance End to End
The Go module system ships with a tamper-evident checksum log and a public proxy most teams never configure deliberately. Here's how to turn those defaults into a real supply-chain control plane.
EU Cyber Resilience Act FAQ: Timelines, SBOMs, and Reporting Duties
A precise FAQ on the EU Cyber Resilience Act in 2026 — what it covers, the phased 2026 and 2027 deadlines, the SBOM requirement, 24-hour vulnerability reporting, risk classes, and penalties.
FedRAMP and the software supply chain: a 2026 guide
FedRAMP authorization increasingly hinges on how you secure your software supply chain. Here's how the SR control family, SBOMs, and SSDF attestation fit together.
How to Read an SBOM
An SBOM is a list of everything inside your software. This beginner guide shows you how to open one, understand each field, and turn it into something useful.
Mini Shai-Hulud AntV npm packages compromise
A compromised npm maintainer account pushed 639 malicious @antv package versions in 10 minutes, stealing CI/CD secrets via a fake OpenTelemetry channel.