software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
Building trust in AI-assisted software development
AI writes 30-50% of new code at many shops now, and 45% of it ships with security flaws. Here's how to build real trust in that pipeline.
Vulnerability Prioritization in the AI Era
CVSS scores can't keep pace with AI-generated code and 40,000+ annual CVEs. Here's why Sonatype's component-level model falls short and what real prioritization requires.
Claude Code and Claude Desktop security integrations
Claude Code's shell access and MCP's connector boom are reshaping software supply chain risk. Here's what security teams need to know and do.
From SBOMs to AI BOMs: SPDX 3.0 Explained
SPDX 3.0 adds a formal AI profile for documenting ML models and datasets. Here's what changed, how it compares to CycloneDX, and why it matters now.
Securing AI coding IDE extensions and plugins
VS Code themes with 9M installs shipped backdoors; Cursor's rules files were hijacked in 2025. Here's what AI IDE extension security actually requires.
Open Source License Compliance Management
Open source license compliance is now a continuous, automated discipline. Here's what Sonatype gets right, where it falls short, and how Safeguard unifies license risk with vulnerability management.
Container Security for the Software Supply Chain
Container scanning means more than SCA: OS layers, secrets, and provenance matter too. See the gaps in SCA-first tools and how Safeguard closes them.
AI & LLM Governance for Software Development
Sonatype flags bad packages after the fact. Here's what AI governance for software development requires, and how Safeguard tracks models and output together.
Implementing the OWASP Top 10 Proactive Controls
A field guide to the OWASP Top 10 Proactive Controls: what each control requires, real breach examples like Equifax, and how to implement them in CI/CD.
InnerSource Practices for Enterprise Development
InnerSource speeds up enterprise code reuse, but it also turns every internal team into an unaudited package publisher. Here's where governance breaks and how to fix it.
What Are AI Bills of Materials (AIBOMs)
What is an AI Bill of Materials (AIBOM), why do SBOM tools like Sonatype fall short on AI components, and how do teams build one in 2025.
What Are Open Source Vulnerabilities
Open source vulnerabilities explained: how flaws like Log4Shell and XZ Utils spread through dependency trees, how Sonatype tracks them, and how to prioritize fixes.