Tools
In-depth guides and analysis on tools from the Safeguard engineering team.
50 articles
Sigstore Policy Controller v0.15: TUF Delegation and Admission Posture
Policy Controller v0.15 ships sigstore-go's delegation-aware TUF client, a monthly cadence, and tighter integration with cosign 3.x. We benchmarked admission on a 400-node cluster.
Trivy vs Grype: A Buyer Comparison for 2026
How Trivy 0.58 and Grype 0.85 compare in real-world container scanning: vulnerability coverage, false positive rates, SBOM support, and operational fit.
JFrog Curation 2026: Time-Based Waivers and On-Demand Policies
JFrog Curation shipped time-bound waivers, on-demand policy application, group-based scope, and ChainGuard hardened-Maven support in 2026. We tested the upgrade on an Artifactory estate.
How Syft scans software to generate SBOMs (under-the-hood...
A deep look at Syft's under-the-hood scanning mechanics — catalogers, binary classifiers, layer squashing, and SBOM formats — and where the single-scan model breaks down at fleet scale.
tfsec to Trivy IaC: 2026 Migration Playbook
tfsec has been folded into Trivy for over a year and Aqua has stopped feature work on tfsec. We migrated three platforms in 2026 and documented what actually breaks.
Open source dependency scanning (OSS composition risk)
Open source dependency scanning has moved from periodic audits to a CI/CD gate. Here's how it works, where Anchore fits, and where Safeguard differs.
Checkmarx SCA vs Mend vs Snyk: 2026 Buyer Comparison
A direct comparison of Checkmarx SCA, Mend, and Snyk in 2026 across reachability, license analysis, developer experience, and total cost of ownership.
Falco 0.40: Modern eBPF Is Now Default
Falco's 0.40 release line makes modern eBPF (CO-RE) the default driver, deprecates the legacy probe and gVisor engine, and changes how operators ship Falco. Here's what changed and what to test.
Mend (WhiteSource) Platform Deep Review 2026
A senior-engineer's deep review of Mend (formerly WhiteSource) in 2026: SCA accuracy, reachability, container scanning, AI features, pricing, and where it fits.
CodeQL vs Snyk: A Buyer Comparison for 2026
A side-by-side comparison of CodeQL and Snyk in 2026 across SAST, SCA, container, and IaC coverage, with realistic expectations for each.
Best Practices for npm Lockfile Security 2026
Your package-lock.json is a supply chain control, not build noise. Six habits — npm ci, script blocking, lockfile linting, provenance checks — that stop most npm attacks cold.
GitHub Advanced Security 2026: Copilot Autofix Goes GA
GHAS in 2026 made Copilot Autofix generally available, opened secret scanning to Team plans, and shipped extended secret metadata. We walked the upgrade for an org with 800 repos.