Safeguard
Tag

cve-management

Safeguard articles tagged "cve-management" — guides, analysis, and best practices for software supply chain and application security.

16 articles

Container Security

Choosing a secure Node.js Docker base image

A stock node:18 image ships at roughly 940MB with 100-200 tracked CVEs; distroless variants land 80% smaller with 0-2. Here's the real tradeoff.

Jul 12, 20267 min read
Industry Analysis

The State of Open Source Security: What a Year of Disclosure Data Shows

454,600+ new malicious packages hit open-source registries in 2025, and NVD still closed the year with a 27,000-CVE enrichment backlog.

Jul 8, 20266 min read
Vulnerability Analysis

Inside the GitHub Advisory Database: how vulnerability re...

How vulnerability records actually get into the GitHub Advisory Database — curation, CNA status, GHAS enrichment, and the gaps in severity and version data teams should watch for.

Jul 1, 20267 min read
Container Security

Reducing CVEs in container base images

Base images inherit hundreds of OS-level CVEs your app never touches. Here's how reachability analysis and minimal bases cut real risk, not just counts.

Jun 21, 20267 min read
Vulnerability Analysis

NVD in the AI era: multi-source vulnerability intelligence

NVD's 2024 enrichment backlog exposed the risk of a single vulnerability feed. Here's how multi-source data and AI triage close the gap.

Jun 7, 20266 min read
Vulnerability Analysis

Aqua Vulnerability Database (AVD) explained

AVD powers Trivy's scan results, but it's a curated aggregator, not a primary source. Here's how it differs from NVD, where its gaps are, and how to close them.

Apr 27, 20267 min read
Vulnerability Management

Trivy (Open Source Scanner)

Trivy is free and fast, but Aqua Security built it as a funnel to its paid CNAPP. Here's what the open-source scanner misses and how Safeguard closes the gap.

Apr 12, 20267 min read
Buyer's Guides

Chainguard vs Docker Official Images: hardening and CVE p...

A concrete look at how Chainguard's distroless Wolfi images and Docker Official Images differ on CVE counts, rebuild cadence, and default hardening.

Apr 5, 202610 min read
DevSecOps

Security automation: stop chasing vulnerabilities, start ...

Chasing CVEs doesn't scale — 40,000+ vulnerabilities were logged in 2024 alone. Here's why prevention-first automation beats patch-cycle chasing, and how it differs from Chainguard's approach.

Apr 3, 20267 min read
Vulnerability Management

A guide to modern vulnerability scanning

Scanners disagree, CVE volume is exploding, and hardened base images solve only one layer. Here's how modern vulnerability scanning actually works — and where prioritization beats raw CVE counts.

Apr 3, 20268 min read
Open Source Security

Known Vulnerabilities in Dependencies

Known vulnerabilities in dependencies cause most supply-chain breaches, not because they're undetected but because teams can't tell which ones are reachable.

Apr 1, 20267 min read
Open Source Security

Auditing Ruby dependencies for known CVEs with bundler-audit

A step-by-step bundler-audit tutorial for scanning Ruby gems against known CVEs, patching vulnerable dependencies, and enforcing the check in CI.

Feb 2, 20267 min read
cve-management — Safeguard Blog