Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A pragmatic 90-day blueprint for standing up an SBOM program that survives auditor scrutiny, procurement reviews, and incident response without burning out your platform team.
AI models are now first-class supply chain components. Here is how an AI-BOM captures lineage, datasets, runtimes, and evaluations in a way that survives audit.
Procurement that asks for a PDF security questionnaire is buying paperwork. SBOM-driven onboarding turns vendor risk into queryable, comparable, and enforceable data.
A senior-engineer comparison of CycloneDX and SPDX in 2026, covering field coverage, tooling, AI-BOM support, VEX, and the practical trade-offs for your programme.
Auditors do not score SBOMs on file count. They check a small set of fields that prove the artefact is real, current, and tied to a verifiable build. Here are the ones that matter.
What changed in SPDX 3.0 and the 3.0.1 patch release: the profile model, AI and dataset profiles, serialization choices, and what to migrate first.
An SBOM without VEX is a noise machine. Here is how disciplined VEX authoring cuts vulnerability backlogs by 70-90% while improving defensibility, not weakening it.
Where AI-BOM and ML-BOM specifications stand in 2026, which formats have real adoption, and what to capture today even if the standards are still in motion.
A senior engineer's survey of AI-BOM and ML-BOM standards in 2026, from CycloneDX ML components to SPDX 3.0 AI profile, and what to actually ship.
Weekly insights on software supply chain security, delivered to your inbox.