Safeguard
Open Source Security

Open source vulnerability management workflow (detect, pr...

A concrete look at the detect-prioritize-remediate workflow for open source vulnerability management, where Mend.io's SCA approach falls short, and how Safeguard closes the gap.

Aman Khan
AppSec Engineer
7 min read

On March 29, 2024, Microsoft engineer Andres Freund noticed SSH logins on a Debian test box taking half a second longer than they should have. He traced the delay to a backdoor buried inside XZ Utils, a compression library used by nearly every Linux distribution on earth. The flaw, tracked as CVE-2024-3094, had been planted over more than two years by a contributor who patiently earned maintainer trust before shipping malicious code into a package millions of servers pull in without a second thought. It is a reminder that open source vulnerability management is no longer a checkbox bolted onto a quarterly security review — it is a continuous workflow of detecting what is actually running in production, prioritizing the handful of issues that matter out of thousands of CVEs, and remediating them before attackers do. Mend.io (formerly WhiteSource, rebranded in 2021) built a large business on the detection half of that equation. This post walks through the full detect-prioritize-remediate lifecycle, where legacy SCA scanning breaks down, and how Safeguard closes the gap.

What counts as open source vulnerability management, and why do most programs stall?

Open source vulnerability management is the ongoing process of finding, ranking, and fixing known flaws in the third-party libraries your applications depend on — and most programs stall right at the finding stage because they mistake a scan report for a working process. According to Synopsys's 2024 Open Source Security and Risk Analysis (OSSRA) report, 96% of the commercial codebases audited contained open source components, 84% contained at least one known open source vulnerability, and 74% contained a high-risk vulnerability. Those numbers have barely moved in three years of reports, which tells you the industry doesn't have a detection problem — it has a workflow problem. A scan that produces a 4,000-line PDF once a quarter isn't vulnerability management; it's an inventory. Real management requires the same three steps to run continuously, on every commit, for every service, with an owner accountable for each open finding.

How do teams actually detect open source vulnerabilities across a live codebase?

Detection today means generating a live software bill of materials (SBOM) and matching it against vulnerability feeds continuously, not running a point-in-time scan against a manifest file. A typical modern application pulls in one direct dependency for every eight to ten transitive ones — the packages your packages depend on, which nobody on the team chose or reviewed. That's exactly how Log4Shell (CVE-2021-44228, disclosed December 10, 2021, CVSS 10.0) spread so far: teams that had never heard of Log4j discovered it three or four layers deep in a logging framework they did use. In 2023 alone, the National Vulnerability Database logged more than 28,000 new CVEs — a record at the time — and open source components account for a growing share of that volume every year. Effective detection means scanning source repos, container images, and build artifacts in CycloneDX or SPDX format, correlating results across all three, and catching a vulnerable transitive dependency the moment it lands in a lockfile, not the moment someone happens to re-run a scan.

How should security teams prioritize thousands of open source CVEs without drowning?

Prioritization works by filtering the raw CVE list through reachability, real-world exploitability, and business context, which typically cuts a "must fix now" list from thousands of findings down to dozens. This step matters more than ever because the data feeding CVSS scores is itself unreliable right now: in February 2024, NIST drastically slowed its CVE enrichment process, and by mid-2024 more than 15,000 published CVEs were sitting without an official analysis or severity score. Teams that prioritize on CVSS alone are increasingly prioritizing on incomplete data. A better signal set combines the CISA Known Exploited Vulnerabilities (KEV) catalog — over 1,300 entries as of mid-2026, each one confirmed as actively exploited in the wild — with EPSS exploit-prediction scores and, critically, reachability analysis that checks whether the vulnerable function in a dependency is ever actually called by your code. Independent studies of reachability tooling consistently find that only a minority of flagged vulnerable dependencies are reachable at runtime in a given application, meaning a naive severity-only queue can bury a team in work that carries zero actual risk to their specific deployment.

What does a working remediation workflow look like once you know what to fix?

Remediation works when the fix arrives as an automated pull request with a version bump, a changelog summary, and passing CI results attached — before a human ever opens a ticket. Manual remediation is slow: industry vulnerability reports have repeatedly found that the average known open source vulnerability remains unpatched for well over 100 days after a fix is available, largely because someone has to identify the minimal safe upgrade, check it against every consuming service, and open a PR by hand. That gets harder with transitive dependencies — fixing Log4Shell wasn't a single version bump for most teams; it meant tracing the vulnerable jar through two or three levels of build tooling (Maven shading, Gradle dependency resolution, vendored copies) before a patch actually took effect. A working remediation workflow automates that resolution step, opens the PR against the correct manifest at the correct depth, runs the existing test suite against the proposed version, and routes only genuinely breaking upgrades to a human reviewer — collapsing the fix cycle from months to days.

Where does Mend.io's approach fit, and where does it fall short, in this workflow?

Mend.io fits well as a detection and license-compliance engine, having built that reputation over more than a decade since launching as WhiteSource in 2011, but it falls short as a complete detect-prioritize-remediate loop for teams under modern audit pressure. Its strengths are real: broad language coverage, a mature policy engine for license risk, and agent-based scanning that many enterprises have standardized on. Where it falls short is downstream of detection. Reachability analysis was added to the product relatively late and is not uniformly available across all supported ecosystems, so severity-only alert volume remains a common complaint among its users. Remediation PRs are generated from version metadata rather than validated against the consuming application's own runtime behavior, which means "automated" fixes still need manual verification before merge. And for teams building toward SOC 2 or ISO 27001 attestation, Mend.io's evidence trail is oriented around scan reports rather than the auditable, tenant-scoped remediation history that compliance reviewers increasingly expect to see — who found what, when it was triaged, and when it was closed, per environment.

How Safeguard Helps

Safeguard is built around the full lifecycle, not just the scan. On the detection side, Safeguard generates a live SBOM from source, container images, and build artifacts on every commit, and reconciles all three views so a dependency introduced through a base image update is caught as fast as one added in a package.json. On prioritization, Safeguard combines CISA KEV status, EPSS scores, and static-and-dynamic reachability analysis to answer the only question that matters for a given finding: can an attacker actually reach this code path in this deployment. That typically shrinks a raw CVE feed of hundreds of findings per service down to a short list a single engineer can act on before lunch. On remediation, Safeguard opens pull requests with the minimal safe upgrade already resolved through the dependency tree, test results attached, and a clear diff of what changed and why — so merging a fix doesn't require re-deriving the fix first. And because Safeguard tracks every finding from detection through closure in a tenant-aware audit log, security and compliance teams get the SOC 2-ready remediation evidence that a stack of quarterly scan PDFs was never designed to produce. For teams that inherited Mend.io as a detection tool but are still doing prioritization and remediation by hand, that's the gap Safeguard is built to close.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.