================================================================================ SAFEGUARD RESOURCES BUNDLE Datasheets · Policy Templates · SBOM References · Compliance Mappings ================================================================================ Version: May 2026 snapshot Contact: docs@safeguard.sh ================================================================================ PART 1 — PLATFORM DATASHEETS ================================================================================ SAFEGUARD PLATFORM (one-page overview) -------------------------------------- What it is: AI-native software supply chain security platform. Discovers Zero Days, autonomously remediates them at 100-layer dependency depth, ships 500K+ curated zero-CVE components. Architecture: Multi-tenant cloud (default) · Dedicated cloud · On-prem · Air-gapped sovereign · IL5 / FedRAMP HIGH ready. Modules: Griffin AI · ESSCM · SBOM Studio · Scanner Suite · TPRM · Auto-Fix · MCP Server · IaC Security · DAST · Marketplace. Throughput: 500K+ scans / day sustained; elastic burst to 50K scans / sec. Interfaces: Web portal · CLI · IDE extensions (VS Code, JetBrains) · Chrome extension · Slack app · Microsoft 365 / Teams · REST API · MCP server for agent surfaces (Claude Code, Cursor, Cline). GRIFFIN MODEL FAMILY -------------------- Lite (8B) Edge / on-device. Latency: <120ms p95. INT8 friendly. S (14B) Small-team triage. Default tier for SOC 2 scale-ups. M (32B) Standard enterprise. Reachability + autofix workloads. L (70B) High-throughput. Deep call-graph context. Multi-region HA. Zero (671B-MoE) Sovereign tier only. 256K-token context. Full audit trace. Routing rule: triage_score 0.0-0.4 → Lite 0.4-0.6 → S 0.6-0.75 → M 0.75-0.9 → L 0.9-1.0 → Zero (sovereign customers only) SCANNER SUITE ------------- 11 integrated scanners + enrichment feeds: Source code SAST · Container image scan · SBOM (CycloneDX 1.6 + SPDX 2.3) · Manifest / lockfile (pnpm / npm / yarn / pip / poetry / cargo / go.sum / Gemfile.lock / pom.xml / packages.lock.json / composer.lock) · IaC scan (Terraform / Pulumi / Crossplane / CloudFormation / Helm) · Secret detection · License compliance · OSV + NVD + EPSS + KEV enrichment · Reachability + taint analysis · Runtime agent (eBPF / Falco-compatible). Output: signed in-toto attestation per scan; SBOM exported to CycloneDX or SPDX. MCP SERVER ---------- Tool surface for AI coding agents (Claude Code, Cursor, Cline, etc.). Capability scoping per-tool + per-tenant. Egress allowlist with DNS-level enforcement. Just-in-time secret broker (no long-lived credentials in agent context). Per-call audit chain-of-custody with signed receipts. ================================================================================ PART 2 — POLICY TEMPLATES (OPA / Rego starters) ================================================================================ LICENSE POLICY (block GPL-family in proprietary repos) ------------------------------------------------------ package safeguard.licenses deny[msg] { input.license_id == "GPL-3.0-only" input.repo.classification == "proprietary" msg := sprintf("GPL-3.0-only not permitted in proprietary repo: %s", [input.component.name]) } deny[msg] { input.license_id == "AGPL-3.0-only" msg := sprintf("AGPL-3.0-only not permitted: %s", [input.component.name]) } SEVERITY GATE (block deploys on reachable critical CVE) ------------------------------------------------------- package safeguard.severity deny[msg] { input.cvss_v3_base_score >= 9.0 input.reachable == true msg := sprintf("Reachable critical CVE: %s (CVSS %.1f)", [input.cve_id, input.cvss_v3_base_score]) } KEV GATE (block any KEV-listed CVE regardless of reachability) --------------------------------------------------------------- package safeguard.kev deny[msg] { input.kev_listed == true msg := sprintf("KEV-listed CVE present: %s", [input.cve_id]) } AGE-OF-FIX (block deploys if patch is older than X days and not applied) ------------------------------------------------------------------------- package safeguard.staleness deny[msg] { input.patch_available_at age_days := (time.now_ns() - input.patch_available_at) / (1000000000 * 86400) age_days > 30 msg := sprintf("Patch for %s has been available for %d days", [input.cve_id, age_days]) } ================================================================================ PART 3 — SAMPLE SBOM (CycloneDX 1.6 — abbreviated) ================================================================================ { "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:...example...", "version": 1, "metadata": { "timestamp": "2026-05-17T10:00:00Z", "tools": [{ "name": "safeguard-scanner", "version": "v3.4.0" }], "component": { "type": "application", "name": "example-api", "version": "1.2.3" } }, "components": [ { "type": "library", "bom-ref": "pkg:npm/express@4.19.2", "name": "express", "version": "4.19.2", "purl": "pkg:npm/express@4.19.2", "licenses": [{ "license": { "id": "MIT" } }], "hashes": [{ "alg": "SHA-256", "content": "abc...redacted..." }] } ], "vulnerabilities": [] } ================================================================================ PART 4 — COMPLIANCE MAPPING SUMMARIES ================================================================================ EO 14028 / NIST SSDF (US Federal) --------------------------------- PS.1 (Protect source code) — Safeguard provenance attestation per artifact PS.2 (Protect releases) — Sigstore signing on every build PS.3 (Provenance) — in-toto attestation chain PO.5 (Implement SDLC controls) — Policy gates at PR + merge + deploy PW.1 (Design) — Threat model imported from Trust Center PW.4 (Reuse existing) — Gold Registry zero-CVE component pull PW.7 (Review/analyze) — Reachability + taint analysis on every PR RV.1 (Find vulns) — Continuous scanning (500K+/day) RV.2 (Address vulns) — Griffin AI Auto-Fix on every reachable critical RV.3 (Analyze + reduce future) — Postmortem feed into policy templates (Full evidence pack on request via /company/contact — under mutual NDA.) DORA (EU Digital Operational Resilience Act) -------------------------------------------- Art. 5 ICT risk management framework ✓ TPRM module Art. 7 ICT systems, protocols, tools ✓ Platform inventory + SBOM Art. 11 ICT-related incident reporting ✓ Auto-detect + report flow Art. 17 Digital operational resilience testing ✓ Continuous scan + drill mode Art. 28 ICT third-party risk ✓ Supplier scoring + attestations DPDP Act (India) ---------------- S.4 Lawful processing ✓ Data inventory + consent ledger S.5 Notice ✓ Standard notice template S.8 Reasonable security safeguards ✓ Encryption + access control S.9 Personal data breach reporting ✓ Automated incident workflow S.12 Significant Data Fiduciary obligations ✓ Data audit trail + DPO console ================================================================================ PART 5 — INTEGRATIONS ================================================================================ Source control: GitHub · GitLab · Bitbucket · Azure DevOps CI/CD: GitHub Actions · GitLab CI · Jenkins · CircleCI · Buildkite · TeamCity · Argo Workflows · Tekton · Spinnaker Issue tracking: Jira · Linear · GitHub Issues · ServiceNow Comms: Slack · Microsoft Teams · Discord (community) Identity: Okta · Azure AD · Google Workspace · OIDC generic · SAML 2.0 SIEM / SOC: Splunk · Sumo Logic · Datadog · Elastic · Chronicle Registries: Docker Hub · GHCR · ECR · GAR · ACR · Harbor · Quay ================================================================================ END OF BUNDLE For documents marked NDA (SOC 2 report, full whitepapers, model weights, detailed mappings), email docs@safeguard.sh or visit https://safeguard.sh/company/contact ================================================================================