Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
Can an LLM find the same bug twice? What repeatability benchmarking reveals
In a 300-run benchmark, the best LLM scanner hit 75.4% F1 while a deterministic SAST baseline hit 100% — but the real story is in what varies between runs.
What Is Application Security (AppSec) 101
AppSec used to mean scanning code for known bugs. Here's why that's no longer enough, what CVE-matching tools like Snyk miss, and what a real supply chain security program requires.
CodeQL default setup vs advanced setup for code scanning
CodeQL's default setup is fast but limited; advanced setup adds control but more YAML to maintain. Here's how the two compare, and where Safeguard fits in.
Secret scanning coverage: GHAS's ~200 patterns vs broader...
GHAS matches secrets against ~200 partner patterns. We break down where that coverage ends and how Safeguard's layered detection catches what pattern lists miss.
GitHub Secret Protection deep dive: push protection, cust...
How GitHub Secret Protection's push protection, custom patterns, and validity checks actually work post-GHAS split, and where the coverage gaps still leave secrets exposed.
GitHub Code Security and CodeQL SAST scanning explained
GitHub split Advanced Security into Code Security and Secret Protection in 2025. Here's how CodeQL SAST actually works, what it misses, and how Safeguard fills the supply-chain gap.
How GitHub used secret scanning to reach 'inbox zero' on ...
GitHub spent nine months clearing 20,000+ secret scanning alerts across 15,000 repos, finding 90% were noise. Here's how they beat alert fatigue, and how Safeguard automates it.
Reducing false positives in secret scanning with context-...
Regex-based secret scanners like GitHub Advanced Security flood teams with false positives. Here's how context-aware LLM reasoning cuts the noise without missing real leaked credentials.
DAST vs SAST vs IAST: choosing the right testing method
SAST, DAST, and IAST each test different things. Here's how Checkmarx positions its platform, and where Safeguard's supply chain approach fits alongside it.
False positives vs. false negatives in security scanning
False positives waste engineering time; false negatives cause breaches. A verifiable, metrics-based look at how Safeguard and Checkmarx approach scan accuracy.
Vulnerability assessment vs. penetration testing
Vulnerability assessment and penetration testing solve different problems. Here's how Safeguard's supply chain approach compares to Checkmarx's AppSec platform.
How AppSec teams cut false-positive triage time
AppSec teams drown in false positives. See how Safeguard's supply-chain-native triage compares to Checkmarx's SAST-driven approach on reachability, context, and workflow fit.