sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
SBOMs in the CI/CD Pipeline: From Generation to Actually Useful
Generating an SBOM is easy. Making it answer 'are we affected by this CVE, and where?' in seconds is the part most teams skip. Here is how to build SBOMs into your pipeline so they earn their keep.
Understanding SBOM Formats
A software bill of materials is only useful if tools can read it. Two standards dominate — SPDX and CycloneDX — and knowing what each captures, how they differ, and when to use which is the difference between an inventory that works and one that gathers dust.
What Is Open Source License Compliance?
Open source license compliance is the practice of tracking every open source component you use and honoring the legal obligations of its license. Get it wrong and you risk lawsuits, forced code disclosure, or a blocked acquisition.
GitHub Advisory Database: 30,000+ curated advisories beyo...
GitHub's Advisory Database curates 30,000+ entries beyond raw CVE data. Here's what it actually covers, where GHAS inherits its limits, and where correlation across sources closes the gaps.
tj-actions/changed-files GitHub Action compromise
How the tj-actions/changed-files GitHub Action compromise (CVE-2025-30066) leaked CI/CD secrets from 23,000+ repos, and how to prevent it.
GitHub Advanced Security alternatives: why teams look bey...
GitHub Advanced Security works well inside GitHub — but multi-SCM estates, independent CVE data needs, and AI-agent workflows push teams to look further. Here's a grounded comparison.
Axios npm package RAT supply chain compromise
A compromised maintainer account pushed malicious axios releases carrying a cross-platform RAT to npm on March 31, 2026 — here's the full timeline and IOCs.
The npm Supply Chain Security Guide
How the npm supply chain actually gets attacked — install scripts, maintainer takeovers, typosquatting, and dependency confusion — and a phased program to defend it from developer laptop to production.
Container Image Scanning: A Practical Guide
Scanning a container image is easy. Scanning it at the right moment, cutting the false positives, and gating deploys on the result is where most programs fall apart.
Polyfill.io supply chain domain takeover
How a routine domain sale turned polyfill.io into malware served to 100,000+ sites, and how to catch supply chain takeovers before they ship.
SBOM (Software Bill of Materials): Frequently Asked Questions
A clear FAQ on software bills of materials in 2026 — what an SBOM is, SPDX vs CycloneDX, NTIA minimum elements, VEX, signing, and how to keep an SBOM continuously accurate.
SBOM for Beginners: What a Software Bill of Materials Really Is
Modern software is assembled from hundreds of parts you did not write. An SBOM is the ingredient label that lists them all. Here is a warm, beginner-friendly tour with a first SBOM you can generate today.