Safeguard works as a continuous loop: it discovers every dependency and component in your software, determines which known vulnerabilities are actually reachable, ranks them by exploitability, and then generates and tests fixes automatically. The mechanics combine deep transitive scanning, call-graph reachability analysis, and autonomous remediation from Griffin AI. This FAQ walks through each stage of how the platform operates.
Frequently Asked Questions
How does Safeguard discover what is in my software? Safeguard parses your manifests and lockfiles to build a complete dependency graph, then traces transitive dependencies — the dependencies of your dependencies — several layers deep. It also inspects container images and infrastructure-as-code. The result is a single component graph that represents everything your application actually ships.
How does the scanning process work? Once the component graph exists, Safeguard matches each component against vulnerability and malware intelligence to surface known CVEs and malicious packages. Scans are fast, typically completing in a couple of minutes, and they run inline in pull requests, in the CLI for pipelines, and on a schedule for already-deployed code.
How does reachability analysis determine exploitability? Reachability analysis builds a call graph of your application and checks whether the vulnerable function in a dependency is actually invoked along a live execution path. If nothing in your code can reach the vulnerable code, the finding is downgraded. This is what separates a small list of exploitable issues from a flood of theoretical ones.
How does Safeguard prioritize which vulnerabilities to fix first? It layers several signals: severity from CVSS, real-world exploitation likelihood from EPSS scoring, whether the finding is reachable in your code, and whether a public exploit exists. The combination pushes the genuinely dangerous, exploitable issues to the top of the queue instead of ranking purely on raw severity.
How does Griffin AI generate a fix? Griffin AI identifies the version or change that resolves a vulnerability, applies it, and runs compatibility testing to confirm the fix does not break your build. It then opens a pull request with the change and context. Because it tests compatibility before proposing the change, the fix is meant to be mergeable rather than a guess.
What does an auto-generated fix pull request contain? A Safeguard fix PR includes the dependency or code change that resolves the vulnerability, the reason it matters — such as the CVE and whether it is reachable — and the result of compatibility testing. Landing a tested fix directly is far more effective than filing a ticket and hoping, because it makes the fix cheaper than the delay.
How does Auto Fix handle source code versus containers? Auto Fix remediates in two places: it generates patches for vulnerable source code, and it provides zero-CVE container image alternatives so you can replace a vulnerable base image with a hardened one. Together these cover both the code you write and the images you deploy.
How does Safeguard build and use SBOMs? As it maps your components, Safeguard can generate an SBOM in seconds and export it as both CycloneDX and SPDX from one source graph. It attaches in-toto attestations and SLSA provenance so downstream consumers can verify origin and build integrity, and it supports VEX statements so you can publish not-affected decisions with justifications.
How do policy gates work? You define policy as code — for example, block any merge that introduces a new critical, reachable vulnerability. Safeguard evaluates each pull request and build against that policy and can fail the check, which prevents new bad code from landing rather than only reporting it after the fact. Gates can also enforce license and compliance rules.
How does continuous monitoring work after deployment? Vulnerabilities are disclosed constantly, so a component that was clean yesterday can be vulnerable today. Safeguard monitors your supply chain around the clock and re-evaluates already-shipped software against newly disclosed CVEs, then triggers remediation when something previously safe becomes exploitable.
How do AI agents interact with the workflow? Through the MCP server, AI assistants and IDE agents can call Safeguard's security tools directly — listing findings, scanning a package, or requesting a remediation plan — inside a developer's normal workflow. Every tool call can be scoped and audited, so agents operate within defined capability bounds.
How long does it take to see results? Most teams get a meaningful first result within minutes of connecting a single repository and running a scan. The initial scan surfaces prioritized, reachable findings, and remediation of exploitable issues typically happens in days rather than the weeks common with manual triage.
How does Safeguard keep false positives low over time? Beyond reachability and EPSS at scan time, VEX statements let teams permanently record not-affected justifications so the same noise does not resurface, and policy tuning focuses gates on what matters. The queue reflects genuine, actionable risk rather than raw scanner output.
To watch the scan-to-fix loop run on your own code, create a free account at https://app.safeguard.sh/register and read the documentation at https://docs.safeguard.sh.