sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
The SBOM Maturity Model: A Practical Roadmap for Enterprise Adoption
Most organizations are still at SBOM Level 0. Here's a five-level maturity model to guide your journey from no SBOMs to full supply chain transparency.
Tern: Container SBOM Generation Through Layer Analysis
A review of Tern, the open source tool that generates SBOMs by inspecting container image layers, including its strengths, limitations, and where it fits in your toolchain.
Generating SBOMs from Container Images: A Practical Guide
Container images are opaque by default. Here's how to crack them open with SBOMs to see exactly what's running in production.
OSS Review Toolkit (ORT): Automating License Compliance at Scale
The OSS Review Toolkit handles license scanning, vulnerability detection, and compliance policy enforcement. Here's how to put it to work.
Building an SBOM Program from Scratch: A Practical Guide
Standing up an SBOM program is more than picking a tool. This guide covers organizational buy-in, tooling selection, automation, and scaling from your first BOM to enterprise-wide adoption.
Software Transparency and the EU Cyber Resilience Act
The EU Cyber Resilience Act is rewriting the rules for software sold in Europe. Mandatory vulnerability handling, SBOM requirements, and security-by-design obligations are coming for every vendor.
SPDX Specification: A Practical Guide for Security Teams
SPDX is the ISO-standardized SBOM format. Here's how to use it effectively for security, not just license compliance.
Trivy for SBOM Generation and Vulnerability Scanning
Trivy combines SBOM generation with vulnerability scanning in a single tool. Here's how to use both capabilities effectively.
VEX Explained: How Vulnerability Exploitability Exchange Cuts Through Alert Noise
VEX documents let software producers tell consumers which vulnerabilities actually affect their products. Here's how VEX works and why it matters.
How to Create Your First SBOM
A practical, step-by-step guide to generating your first Software Bill of Materials using open-source tools and integrating it into your development workflow.
Docker Scout for Container Security Analysis: A Practical Guide
Docker Scout brings vulnerability scanning directly into the Docker CLI. Here is what it actually catches, where it falls short, and how to integrate it into your workflow.
CPE Naming Convention and the Vulnerability Matching Problem
CPE is the backbone of NVD vulnerability matching, and it is deeply flawed. Understanding its limitations is essential for accurate vulnerability management.