Safeguard.sh Documentation Center

Asset Discovery

Automatically discover every repository, container, package, SBOM, AI model, and vendor dependency in your software estate.

Asset Discovery

You cannot secure what you cannot see. Safeguard's asset discovery continuously catalogs every software artifact your organization builds, buys, or consumes — and binds each to an owner, a business context, and a risk profile.

What Gets Discovered

Safeguard discovers and tracks seven asset classes:

AssetSourceExample
Source repositoriesGit providersGitHub, GitLab, Bitbucket, Azure DevOps
Container imagesRegistriesECR, ACR, GCR, GHCR, Artifactory, Harbor, Docker Hub
PackagesBuild outputs, lockfilesnpm, PyPI, Maven, NuGet, Go, Rust, Ruby, PHP
AI modelsModel registriesHugging Face, MLflow, Vertex AI Model Registry, SageMaker
SBOMsInternal and vendorCycloneDX, SPDX, ingested from Portal or API
VendorsTPRM moduleSaaS vendors, open-source dependencies, hardware
Runtime workloadsAgents and operatorsKubernetes pods, Lambda, Cloud Run, ECS, VMs

How Discovery Works

Three connection modes power discovery: agentless integrations, lightweight agents, and SBOM ingestion.

Agentless Integrations

Connect Safeguard to your Git provider, container registries, cloud accounts, and model registries with OAuth or IAM roles. Safeguard then continuously:

  • Enumerates new repositories, images, and models.
  • Polls for pushes, tags, releases, and deletions.
  • Cross-references with your CI/CD logs to detect shadow builds.

See Integrations for the supported connector matrix.

Lightweight Agents

Deploy the Safeguard runtime collector on:

  • Kubernetes clusters — a DaemonSet observes image pulls, workload manifests, and admission events.
  • Linux hosts / VMs — captures package inventories, running containers, and loaded shared libraries.
  • CI/CD runners — captures build-time manifests and publishes them as runtime SBOMs.

Agents send telemetry over mTLS and do not ship source code or binaries off-host.

SBOM Ingestion

For vendor software, partner platforms, and imported artifacts, ingest SBOMs directly via:

  • Portal upload (drag-and-drop CycloneDX or SPDX).
  • safeguard sbom push CLI command.
  • POST /v1/sboms API call.

Ingested SBOMs are normalized, de-duplicated, enriched with vulnerability data, and joined into the asset graph.

The Asset Graph

Every discovered asset is a node. Safeguard stitches them together into a typed graph:

Vendor        --provides-->  SBOM
SBOM          --describes--> Container Image
Container     --runs-in-->   Kubernetes Workload
Repository    --builds-->    Container Image
Package       --belongs-to-> Repository
AI Model      --uses-->      Package

Queries answer practical questions:

  • "Which production workloads contain log4j-core 2.17.1?"
  • "Which vendors ship AI models with unsigned weights?"
  • "Which of our repositories publish containers that run in FedRAMP boundary?"

Use the Search page in ESSCM for graph queries or the /v1/graph/query API for programmatic access.

Ownership and Tagging

Every asset gets assigned:

  • Owner — inferred from Git CODEOWNERS, container labels, or manually assigned.
  • Business unit — mapped from repository topic tags, cloud account, or namespace.
  • Environment — production, staging, dev, ephemeral.
  • Sensitivity — customer data, regulated (FedRAMP, HIPAA, PCI), public, internal.

These fields drive routing: findings in a production PCI workload page different humans than a dev sandbox.

Shadow Asset Detection

Safeguard continuously looks for assets that exist but are not governed:

  • A new repository in your org that is not connected.
  • An image in a registry with no SBOM.
  • A running container image that is not in any SBOM.
  • A vendor API being called from production but not listed in TPRM.

Shadow findings surface in the Asset Discovery dashboard as UNGOVERNED status and can drive automation — for example, opening a Jira ticket or blocking deployments until the asset is onboarded.

Coverage Metrics

The dashboard reports three headline coverage metrics:

  • SBOM coverage — % of running workloads with at least one fresh SBOM.
  • Vendor coverage — % of third-party components covered by TPRM records.
  • Ownership coverage — % of assets with an identified owner.

These metrics are exposed as time-series so coverage is trackable over quarters.

API Examples

List all repositories discovered in the last 24 hours:

safeguard assets list --type repository --discovered-since 24h

Find all images running in production that contain a specific package:

safeguard graph query --cypher "MATCH (w:Workload {env:'prod'})-[:RUNS]->(i:Image)-[:HAS]->(p:Package {name:'openssl'}) RETURN w, p"
  • Integrations — connector matrix and setup.
  • TPRM — vendor and third-party dependency governance.
  • Search — asset-graph query UI.
  • Policies and Gates — enforce policies against discovered assets.

Model Capabilities

What Griffin, Eagle, and Lino can actually do — concrete tasks, input shapes, output contracts, and example prompts.

Continuous Scanning

Safeguard re-evaluates every asset against new vulnerabilities, new malware signatures, and new policy rules continuously — not just at build time.

On this page

Asset DiscoveryWhat Gets DiscoveredHow Discovery WorksAgentless IntegrationsLightweight AgentsSBOM IngestionThe Asset GraphOwnership and TaggingShadow Asset DetectionCoverage MetricsAPI ExamplesRelated