software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
How Snyk's open-source license compliance engine classifi...
How Snyk's license compliance engine groups open-source licenses and maps them to low, medium, high, and critical severity levels.
How Snyk keeps its license classifications aligned with t...
How Snyk detects, normalizes, and categorizes open source license metadata against the SPDX License List to power its license compliance policies.
How Snyk detects deprecated or unmaintained packages befo...
A look at how Snyk Advisor scores package maintenance health and surfaces deprecated or abandoned dependencies before they turn into security incidents.
How Snyk scans NuGet and .NET project files for vulnerabl...
How Snyk resolves NuGet and .NET dependency graphs from csproj, packages.config, and project.assets.json files to find vulnerable packages.
How Snyk scans Composer/PHP and RubyGems dependency manif...
A technical look at how Snyk parses composer.json/composer.lock and Gemfile/Gemfile.lock to build dependency trees and match PHP and Ruby packages against known vulnerabilities.
How Snyk's .snyk file structures ignore rules with expiry...
How Snyk's .snyk file encodes vulnerability ignore rules using reason and expiry date fields, and what happens in CI once an exception lapses.
How Snyk's private package registry scanning supports Art...
How Snyk private registry package scanning connects to Artifactory and Nexus, from Docker Registry API calls to Broker-relayed authentication behind the firewall.
How Snyk AI-BOM discovers agents, tools, models, and data...
How Snyk AI-BOM's static analysis engine discovers agents, tools, models, datasets, and MCP servers hiding in code, even without a manifest file.
How Snyk AI-BOM detects MCP servers connected to an appli...
A technical look at how Snyk's AI-BOM statically detects MCP client-server connections in source code, what CycloneDX data it captures, and where its coverage stops.
How Snyk AI-BOM's continuous refresh model differs from a...
How Snyk's AI-BOM keeps model and dataset inventories current through continuous refresh, and why that differs mechanically from a point-in-time static SBOM export.
How Snyk AI-BOM surfaces shadow AI usage that security te...
How Snyk's AI-BOM uses code-level analysis, not manifest parsing, to surface shadow AI models, agent frameworks, and MCP servers security teams don't know are running.
How Snyk's AI-BOM API lets teams query AI component inven...
How Snyk's AI-BOM API exposes AI model and dataset inventories as queryable, CycloneDX-aligned data teams can pull into CI, GRC, and asset tooling programmatically.