Supply Chain Security
Securing dependencies, build pipelines, and the path from source to production.
Generating a CycloneDX SBOM in Your CI/CD Pipeline
Automate SBOM generation at build time with CycloneDX, add AI-attribution metadata, and sign with Sigstore — practical CI/CD integration.
Cryptographically Signing AI-Generated Artifacts with Sigstore
Using Sigstore keyless signing to verify autonomous agent-authored code and build artifacts with non-repudiation and audit trails.
Mapping Your SBOM to NIST NVD: A Vulnerability Triage Workflow
Go from SBOM to patched artifact: CVE lookup, CISA KEV prioritization, VEX documentation, and remediation tracking.
Vendoring AI-Generated Code: SBOM and License Implications
When a coding agent rewrites a third-party function inline, copies a Stack Overflow snippet, or paraphrases an MIT-licensed utility, what does your SBOM actually say — and how do you keep the license attribution chain intact?
How Package Managers Actually Work: Resolution, Lock Files, and SBOM Calculation
A primary-source explainer of how npm, Yarn, pnpm, pip, Poetry, uv, Cargo, Go modules, Maven, Gradle, Bundler, and Composer resolve dependencies, lock them, and feed SBOM tools — and where those SBOMs disagree.