SBOM & Compliance
Migrating SBOM Tooling Providers
A practical field guide to switching SBOM tooling vendors without losing historical data, breaking compliance reports, or annoying the auditors.
May 18, 20248 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A practical field guide to switching SBOM tooling vendors without losing historical data, breaking compliance reports, or annoying the auditors.
SBOMs for medical devices look straightforward on paper and get complicated fast in the real world. A field report on what regulators actually accept and what engineering teams actually produce.
Produce accurate CycloneDX SBOMs from Maven builds using the official plugin, handle multi-module reactors, and ship attested SBOMs alongside your JARs.
Build a repeatable SBOM review workflow that catches license risks, stale dependencies, and unexpected components before they ship to customers.
A thorough review of Anchore's Syft SBOM generation tool, covering supported formats, language ecosystems, container scanning, and integration patterns.
Your supplier sends SPDX, your platform expects CycloneDX. Here's how to convert between SBOM formats without losing critical data.
A practical, step-by-step guide to generating your first Software Bill of Materials using open-source tools and integrating it into your development workflow.
CycloneDX is more than a component list. This deep dive covers services, vulnerabilities, compositions, and the parts of the spec most teams overlook.
Executive Order 14028 mandates SBOMs for federal software procurement. Here's a practical breakdown of what's required, what formats to use, and how to get compliant.
Weekly insights on software supply chain security, delivered to your inbox.