cve-management
Safeguard articles tagged "cve-management" — guides, analysis, and best practices for software supply chain and application security.
16 articles
Choosing a secure Node.js Docker base image
A stock node:18 image ships at roughly 940MB with 100-200 tracked CVEs; distroless variants land 80% smaller with 0-2. Here's the real tradeoff.
The State of Open Source Security: What a Year of Disclosure Data Shows
454,600+ new malicious packages hit open-source registries in 2025, and NVD still closed the year with a 27,000-CVE enrichment backlog.
Inside the GitHub Advisory Database: how vulnerability re...
How vulnerability records actually get into the GitHub Advisory Database — curation, CNA status, GHAS enrichment, and the gaps in severity and version data teams should watch for.
Reducing CVEs in container base images
Base images inherit hundreds of OS-level CVEs your app never touches. Here's how reachability analysis and minimal bases cut real risk, not just counts.
NVD in the AI era: multi-source vulnerability intelligence
NVD's 2024 enrichment backlog exposed the risk of a single vulnerability feed. Here's how multi-source data and AI triage close the gap.
Aqua Vulnerability Database (AVD) explained
AVD powers Trivy's scan results, but it's a curated aggregator, not a primary source. Here's how it differs from NVD, where its gaps are, and how to close them.
Trivy (Open Source Scanner)
Trivy is free and fast, but Aqua Security built it as a funnel to its paid CNAPP. Here's what the open-source scanner misses and how Safeguard closes the gap.
Chainguard vs Docker Official Images: hardening and CVE p...
A concrete look at how Chainguard's distroless Wolfi images and Docker Official Images differ on CVE counts, rebuild cadence, and default hardening.
Security automation: stop chasing vulnerabilities, start ...
Chasing CVEs doesn't scale — 40,000+ vulnerabilities were logged in 2024 alone. Here's why prevention-first automation beats patch-cycle chasing, and how it differs from Chainguard's approach.
A guide to modern vulnerability scanning
Scanners disagree, CVE volume is exploding, and hardened base images solve only one layer. Here's how modern vulnerability scanning actually works — and where prioritization beats raw CVE counts.
Known Vulnerabilities in Dependencies
Known vulnerabilities in dependencies cause most supply-chain breaches, not because they're undetected but because teams can't tell which ones are reachable.
Auditing Ruby dependencies for known CVEs with bundler-audit
A step-by-step bundler-audit tutorial for scanning Ruby gems against known CVEs, patching vulnerable dependencies, and enforcing the check in CI.