Safeguard
Tag

code-review

Safeguard articles tagged "code-review" — guides, analysis, and best practices for software supply chain and application security.

45 articles

Application Security

Comparing open-source tools for secure Java code review

SpotBugs checks 400+ bug patterns, Find Security Bugs adds 144 more, and CodeQL needs a full build — no single free Java scanner covers everything.

Jul 16, 20266 min read
Best Practices

Secure code review: the checklist reviewers actually need

Broken access control affects nearly every tested app and XSS remains the #1 CWE overall — both catchable in review. Here is a language-agnostic PR checklist.

Jul 16, 20267 min read
Application Security

Trojan Source: how Unicode bidi control characters hide malicious code in plain sight

CVE-2021-42574 scored 8.3 CVSS for a bug that isn't a parser flaw at all — it's Unicode's bidirectional text algorithm, weaponized against code review.

Jul 16, 20266 min read
AI Security

Can AI-Generated Code Be Trusted? A Security Review

A 2025 USENIX study found LLMs hallucinate nonexistent packages in up to 21.7% of code samples — and attackers are already registering the names.

Jul 13, 20267 min read
Application Security

The Python code review security checklist: eval, pickle, and shell=True

Bandit ships named checks for eval, pickle, and shell=True — B307, B301, B602 — yet these three smells still slip past manual review into production Python.

Jul 11, 20266 min read
AI Security

AI Code Generation: An Evaluation Framework for Gating Output Before Merge

NYU researchers found security weaknesses in ~40% of Copilot-generated programs. Here's how to gate AI code before it ever reaches main.

Jul 10, 20267 min read
Application Security

When Node.js sandboxing stops at the C++ boundary

Node's permission model can block a native addon from loading at all — but once it's in, a single buffer overflow in C++ can corrupt the whole process.

Jul 8, 20267 min read
AI Security

Guardrails for AI Coding Assistants in the SDLC

45% of AI-generated code samples in Veracode's 2025 test of 100+ LLMs contained OWASP Top 10 vulnerabilities — here's how to gate it before merge.

Jul 8, 20266 min read
AI Security

A Checklist for Reviewing AI-Generated Code Before It Merges

19.7% of packages LLMs recommend don't exist in real registries, per a 576,000-sample USENIX 2025 study — here's what to check before merging AI-written code.

Jul 8, 20267 min read
AI Security

Security Practices for GitHub Copilot and AI Coding Assistants

Copilot suggested 2,702 hardcoded secrets from just 900 prompts in one study, and at least 200 were live credentials — adoption without policy is a leak waiting to happen.

Jul 8, 20266 min read
Buyer's Guides

Top SAST Auto-Fixing Tools in 2026: An Honest Buyer's Guide

A balanced 2026 comparison of SAST tools that auto-fix findings — GitHub Copilot Autofix, Semgrep, Snyk, SonarQube, Mobb, Pixee — with honest tradeoffs and where Safeguard fits.

Jul 6, 20266 min read
Buyer's Guides

PHP Code Review Tools: An Honest 2026 Buyer's Guide

A balanced 2026 comparison of PHP code review and static-analysis tools — PHPStan, Psalm, PHP_CodeSniffer, progpilot, Semgrep, SonarQube — with honest tradeoffs and where Safeguard fits.

Jul 5, 20266 min read
code-review — Safeguard Blog