Safeguard
Topic

Open Source Security

In-depth guides and analysis on open source security from the Safeguard engineering team.

404 articles

Open Source Security

How Snyk handles Python dependency resolution across pip,...

How Snyk resolves Python dependency trees differently for pip, Poetry, and Pipenv, and what that means for vulnerability scan accuracy.

Aug 29, 20257 min read
Open Source Security

How Snyk Open Source scans Go modules and resolves the Go...

How Snyk Open Source reads go.mod/go.sum, builds the Go module dependency graph, and uses Minimal Version Selection to identify vulnerable versions.

Aug 29, 20257 min read
Open Source Security

How Snyk Open Source analyzes Cargo.lock for Rust depende...

How Snyk Open Source parses Cargo.lock, matches resolved crate versions against RustSec advisories, and handles Rust workspaces -- a mechanical breakdown of its documented approach.

Aug 29, 20257 min read
Open Source Security

Why Snyk's vulnerability database often reports issues be...

NVD's CVE enrichment pipeline has a well-documented backlog since 2024. Here's the mechanical reason Snyk's database often shows vulnerabilities weeks earlier.

Aug 28, 20257 min read
Open Source Security

How Snyk's Fix PRs mechanically differ from Upgrade PRs a...

Snyk's Upgrade, Fix, and Backlog PRs aren't interchangeable — each changes different files and carries different CI risk. Here's the mechanical breakdown.

Aug 28, 20258 min read
Open Source Security

How Snyk decides whether an automatic PR proposes a minor...

A mechanical walkthrough of the semver logic behind Snyk's automatic fix PRs — how it picks target versions and decides between patch, minor, and major bumps.

Aug 28, 20257 min read
Open Source Security

How Snyk patches remediate vulnerabilities that have no a...

How Snyk's patch feature applies targeted code-level diffs to fix vulnerabilities directly in dependencies when no clean upgrade path exists.

Aug 27, 20257 min read
Open Source Security

How snyk monitor creates and tracks a point-in-time proje...

A technical walkthrough of how `snyk monitor` builds a dependency snapshot, stores it as a Project, and re-checks it against new CVEs after the fact.

Aug 27, 20257 min read
Open Source Security

How Snyk Open Source's PR checks block merges based on se...

A technical look at how Snyk Open Source's PR checks scan pull requests, compare severity to configured thresholds, and gate merges in CI/CD.

Aug 27, 20257 min read
Open Source Security

How Snyk calculates direct versus transitive dependency v...

Snyk splits vulnerability exposure into direct and transitive dependencies using lockfile graphs, CVE version-range matching, and path-level reachability analysis.

Aug 27, 20257 min read
Open Source Security

How Snyk's reachability analysis determines whether vulne...

A technical walkthrough of how Snyk's reachability analysis builds static call graphs to determine whether vulnerable dependency functions are actually invoked by your code.

Aug 26, 20257 min read
Open Source Security

How reachability analysis coverage differs across Java, J...

Snyk's reachability analysis works differently across Java, JavaScript, and Python — here's why static, typed Java gets deeper coverage than dynamic Python and JS call graphs.

Aug 26, 20257 min read
Open Source Security (Page 19) — Supply Chain Security Blog | Safeguard