Open Source Security
In-depth guides and analysis on open source security from the Safeguard engineering team.
404 articles
How Snyk handles Python dependency resolution across pip,...
How Snyk resolves Python dependency trees differently for pip, Poetry, and Pipenv, and what that means for vulnerability scan accuracy.
How Snyk Open Source scans Go modules and resolves the Go...
How Snyk Open Source reads go.mod/go.sum, builds the Go module dependency graph, and uses Minimal Version Selection to identify vulnerable versions.
How Snyk Open Source analyzes Cargo.lock for Rust depende...
How Snyk Open Source parses Cargo.lock, matches resolved crate versions against RustSec advisories, and handles Rust workspaces -- a mechanical breakdown of its documented approach.
Why Snyk's vulnerability database often reports issues be...
NVD's CVE enrichment pipeline has a well-documented backlog since 2024. Here's the mechanical reason Snyk's database often shows vulnerabilities weeks earlier.
How Snyk's Fix PRs mechanically differ from Upgrade PRs a...
Snyk's Upgrade, Fix, and Backlog PRs aren't interchangeable — each changes different files and carries different CI risk. Here's the mechanical breakdown.
How Snyk decides whether an automatic PR proposes a minor...
A mechanical walkthrough of the semver logic behind Snyk's automatic fix PRs — how it picks target versions and decides between patch, minor, and major bumps.
How Snyk patches remediate vulnerabilities that have no a...
How Snyk's patch feature applies targeted code-level diffs to fix vulnerabilities directly in dependencies when no clean upgrade path exists.
How snyk monitor creates and tracks a point-in-time proje...
A technical walkthrough of how `snyk monitor` builds a dependency snapshot, stores it as a Project, and re-checks it against new CVEs after the fact.
How Snyk Open Source's PR checks block merges based on se...
A technical look at how Snyk Open Source's PR checks scan pull requests, compare severity to configured thresholds, and gate merges in CI/CD.
How Snyk calculates direct versus transitive dependency v...
Snyk splits vulnerability exposure into direct and transitive dependencies using lockfile graphs, CVE version-range matching, and path-level reachability analysis.
How Snyk's reachability analysis determines whether vulne...
A technical walkthrough of how Snyk's reachability analysis builds static call graphs to determine whether vulnerable dependency functions are actually invoked by your code.
How reachability analysis coverage differs across Java, J...
Snyk's reachability analysis works differently across Java, JavaScript, and Python — here's why static, typed Java gets deeper coverage than dynamic Python and JS call graphs.