Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

Can an LLM find the same bug twice? What repeatability benchmarking reveals

In a 300-run benchmark, the best LLM scanner hit 75.4% F1 while a deterministic SAST baseline hit 100% — but the real story is in what varies between runs.

Jul 7, 20266 min read
Application Security

What Is Application Security (AppSec) 101

AppSec used to mean scanning code for known bugs. Here's why that's no longer enough, what CVE-matching tools like Snyk miss, and what a real supply chain security program requires.

Jul 5, 20267 min read
Application Security

CodeQL default setup vs advanced setup for code scanning

CodeQL's default setup is fast but limited; advanced setup adds control but more YAML to maintain. Here's how the two compare, and where Safeguard fits in.

Jul 4, 20267 min read
Application Security

Secret scanning coverage: GHAS's ~200 patterns vs broader...

GHAS matches secrets against ~200 partner patterns. We break down where that coverage ends and how Safeguard's layered detection catches what pattern lists miss.

Jul 3, 20268 min read
Application Security

GitHub Secret Protection deep dive: push protection, cust...

How GitHub Secret Protection's push protection, custom patterns, and validity checks actually work post-GHAS split, and where the coverage gaps still leave secrets exposed.

Jul 2, 20267 min read
Application Security

GitHub Code Security and CodeQL SAST scanning explained

GitHub split Advanced Security into Code Security and Secret Protection in 2025. Here's how CodeQL SAST actually works, what it misses, and how Safeguard fills the supply-chain gap.

Jul 2, 20267 min read
Application Security

How GitHub used secret scanning to reach 'inbox zero' on ...

GitHub spent nine months clearing 20,000+ secret scanning alerts across 15,000 repos, finding 90% were noise. Here's how they beat alert fatigue, and how Safeguard automates it.

Jul 1, 20267 min read
Application Security

Reducing false positives in secret scanning with context-...

Regex-based secret scanners like GitHub Advanced Security flood teams with false positives. Here's how context-aware LLM reasoning cuts the noise without missing real leaked credentials.

Jul 1, 20267 min read
Application Security

DAST vs SAST vs IAST: choosing the right testing method

SAST, DAST, and IAST each test different things. Here's how Checkmarx positions its platform, and where Safeguard's supply chain approach fits alongside it.

Jun 28, 20268 min read
Application Security

False positives vs. false negatives in security scanning

False positives waste engineering time; false negatives cause breaches. A verifiable, metrics-based look at how Safeguard and Checkmarx approach scan accuracy.

Jun 28, 20267 min read
Application Security

Vulnerability assessment vs. penetration testing

Vulnerability assessment and penetration testing solve different problems. Here's how Safeguard's supply chain approach compares to Checkmarx's AppSec platform.

Jun 28, 20267 min read
Application Security

How AppSec teams cut false-positive triage time

AppSec teams drown in false positives. See how Safeguard's supply-chain-native triage compares to Checkmarx's SAST-driven approach on reachability, context, and workflow fit.

Jun 26, 20268 min read
Application Security (Page 13) — Supply Chain Security Blog | Safeguard