SBOM & Compliance
How to Build a VEX Document for Your Consumers
A hands-on tutorial for producing a CSAF-VEX document that tells your customers which CVEs actually affect your product and which do not.
Jul 22, 20246 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A hands-on tutorial for producing a CSAF-VEX document that tells your customers which CVEs actually affect your product and which do not.
The in-toto attestation framework is the plumbing under SLSA, Sigstore, and most supply chain tooling. Here is a practical review of the v1 formats and their edges.
A practical field guide to switching SBOM tooling vendors without losing historical data, breaking compliance reports, or annoying the auditors.
Go's build model makes SLSA provenance more tractable than most ecosystems. Here is the practical guide for producing and verifying provenance on Go releases.
SBOMs for medical devices look straightforward on paper and get complicated fast in the real world. A field report on what regulators actually accept and what engineering teams actually produce.
Rekor is the transparency log behind Sigstore, and understanding its operational model matters more than most teams realise. Here is how we run against it in production.
Compare Mend (formerly WhiteSource) and Black Duck on SBOM export, license policy, detection sources, deployment model, and enterprise reporting for 2024 SCA selection.
Moving from SLSA Build L1 to L3 is less a single upgrade and more a series of hardening steps. Here is the playbook we use with customers, mapped to the v1.0 specification.
Produce accurate CycloneDX SBOMs from Maven builds using the official plugin, handle multi-module reactors, and ship attested SBOMs alongside your JARs.
Weekly insights on software supply chain security, delivered to your inbox.