Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

DevSecOps

SBOMs in the CI/CD Pipeline: From Generation to Actually Useful

Generating an SBOM is easy. Making it answer 'are we affected by this CVE, and where?' in seconds is the part most teams skip. Here is how to build SBOMs into your pipeline so they earn their keep.

Jul 3, 20266 min read
Concepts

Understanding SBOM Formats

A software bill of materials is only useful if tools can read it. Two standards dominate — SPDX and CycloneDX — and knowing what each captures, how they differ, and when to use which is the difference between an inventory that works and one that gathers dust.

Jul 3, 20266 min read
Concepts

What Is Open Source License Compliance?

Open source license compliance is the practice of tracking every open source component you use and honoring the legal obligations of its license. Get it wrong and you risk lawsuits, forced code disclosure, or a blocked acquisition.

Jul 3, 20266 min read
Vulnerability Analysis

GitHub Advisory Database: 30,000+ curated advisories beyo...

GitHub's Advisory Database curates 30,000+ entries beyond raw CVE data. Here's what it actually covers, where GHAS inherits its limits, and where correlation across sources closes the gaps.

Jul 3, 20267 min read
Software Supply Chain Security

tj-actions/changed-files GitHub Action compromise

How the tj-actions/changed-files GitHub Action compromise (CVE-2025-30066) leaked CI/CD secrets from 23,000+ repos, and how to prevent it.

Jul 3, 20266 min read
Buyer's Guides

GitHub Advanced Security alternatives: why teams look bey...

GitHub Advanced Security works well inside GitHub — but multi-SCM estates, independent CVE data needs, and AI-agent workflows push teams to look further. Here's a grounded comparison.

Jul 3, 20267 min read
Software Supply Chain Security

Axios npm package RAT supply chain compromise

A compromised maintainer account pushed malicious axios releases carrying a cross-platform RAT to npm on March 31, 2026 — here's the full timeline and IOCs.

Jul 3, 20267 min read
Security Guides

The npm Supply Chain Security Guide

How the npm supply chain actually gets attacked — install scripts, maintainer takeovers, typosquatting, and dependency confusion — and a phased program to defend it from developer laptop to production.

Jul 2, 20265 min read
Container Security

Container Image Scanning: A Practical Guide

Scanning a container image is easy. Scanning it at the right moment, cutting the false positives, and gating deploys on the result is where most programs fall apart.

Jul 2, 20266 min read
Software Supply Chain Security

Polyfill.io supply chain domain takeover

How a routine domain sale turned polyfill.io into malware served to 100,000+ sites, and how to catch supply chain takeovers before they ship.

Jul 2, 20267 min read
FAQ

SBOM (Software Bill of Materials): Frequently Asked Questions

A clear FAQ on software bills of materials in 2026 — what an SBOM is, SPDX vs CycloneDX, NTIA minimum elements, VEX, signing, and how to keep an SBOM continuously accurate.

Jul 2, 20266 min read
Guides

SBOM for Beginners: What a Software Bill of Materials Really Is

Modern software is assembled from hundreds of parts you did not write. An SBOM is the ingredient label that lists them all. Here is a warm, beginner-friendly tour with a first SBOM you can generate today.

Jul 2, 20266 min read
sbom (Page 9) — Safeguard Blog