code-review
Safeguard articles tagged "code-review" — guides, analysis, and best practices for software supply chain and application security.
45 articles
Comparing open-source tools for secure Java code review
SpotBugs checks 400+ bug patterns, Find Security Bugs adds 144 more, and CodeQL needs a full build — no single free Java scanner covers everything.
Secure code review: the checklist reviewers actually need
Broken access control affects nearly every tested app and XSS remains the #1 CWE overall — both catchable in review. Here is a language-agnostic PR checklist.
Trojan Source: how Unicode bidi control characters hide malicious code in plain sight
CVE-2021-42574 scored 8.3 CVSS for a bug that isn't a parser flaw at all — it's Unicode's bidirectional text algorithm, weaponized against code review.
Can AI-Generated Code Be Trusted? A Security Review
A 2025 USENIX study found LLMs hallucinate nonexistent packages in up to 21.7% of code samples — and attackers are already registering the names.
The Python code review security checklist: eval, pickle, and shell=True
Bandit ships named checks for eval, pickle, and shell=True — B307, B301, B602 — yet these three smells still slip past manual review into production Python.
AI Code Generation: An Evaluation Framework for Gating Output Before Merge
NYU researchers found security weaknesses in ~40% of Copilot-generated programs. Here's how to gate AI code before it ever reaches main.
When Node.js sandboxing stops at the C++ boundary
Node's permission model can block a native addon from loading at all — but once it's in, a single buffer overflow in C++ can corrupt the whole process.
Guardrails for AI Coding Assistants in the SDLC
45% of AI-generated code samples in Veracode's 2025 test of 100+ LLMs contained OWASP Top 10 vulnerabilities — here's how to gate it before merge.
A Checklist for Reviewing AI-Generated Code Before It Merges
19.7% of packages LLMs recommend don't exist in real registries, per a 576,000-sample USENIX 2025 study — here's what to check before merging AI-written code.
Security Practices for GitHub Copilot and AI Coding Assistants
Copilot suggested 2,702 hardcoded secrets from just 900 prompts in one study, and at least 200 were live credentials — adoption without policy is a leak waiting to happen.
Top SAST Auto-Fixing Tools in 2026: An Honest Buyer's Guide
A balanced 2026 comparison of SAST tools that auto-fix findings — GitHub Copilot Autofix, Semgrep, Snyk, SonarQube, Mobb, Pixee — with honest tradeoffs and where Safeguard fits.
PHP Code Review Tools: An Honest 2026 Buyer's Guide
A balanced 2026 comparison of PHP code review and static-analysis tools — PHPStan, Psalm, PHP_CodeSniffer, progpilot, Semgrep, SonarQube — with honest tradeoffs and where Safeguard fits.