Safeguard
Tag

reachability

Safeguard articles tagged "reachability" — guides, analysis, and best practices for software supply chain and application security.

50 articles

DevSecOps

Semantic Reachability vs Call-Graph Reachability in 2026

Call graphs say a function is reachable. Semantic reachability asks whether the preconditions for exploitation hold. The difference matters for prioritization.

Apr 29, 20266 min read
AI Security

Zero-Day Discovery With LLM-Augmented Reachability: A Safeguard Engine Walkthrough

Pattern-matching scanners miss zero-days by definition. An engine that follows taint across package boundaries plus a model that hypothesizes exploit conditions can find what either would miss alone. Here is how that pipeline works end to end.

Apr 19, 20268 min read
Vulnerability Management

Solve SCA False Positive Overload With Reachability Analysis

SCA tools produce more findings than any team can review. Reachability analysis is the filter that turns the haystack into a queue your engineers will actually finish.

Apr 12, 20264 min read
Tools

cdxgen v12: Reachability Evidence Lands in SBOMs

OWASP's cdxgen v12 ships reachability evidence powered by atom, multi-BOM generation (SBOM, CBOM, SaaSBOM, OBOM, CDXA), and CycloneDX 1.7 as the default. We tested it on a Java monorepo.

Apr 9, 20266 min read
Application Security

Reachability Analysis for JavaScript and TypeScript in 2026

JS reachability with npm's nested trees, dynamic require, ESM/CJS interop, and bundler dead code elimination. What modern tools resolve and what they punt.

Apr 8, 20265 min read
Vulnerability Management

How Reachability Cuts Your Vulnerability Backlog 80%

The 80% backlog reduction from reachability isn't marketing. It's a measurable property of how transitive dependency graphs actually expose risk to a specific application.

Apr 8, 20264 min read
Best Practices

Prioritising CVE Patches With Reachability, Not CVSS Alone

CVSS by itself produces a queue ordered by hypothetical severity. Reachability orders by actual exposure. Mixing the two correctly is where mature programs land.

Apr 4, 20263 min read
Application Security

Next-Gen SCA Explained: What Changed in 2026

Next-gen SCA tools moved past package-tree scanning to reachability, runtime context, and exploit signal. Here's what actually changed and why it matters.

Apr 2, 20265 min read
Regulatory Compliance

Using Reachability To Defend SOC 2 Audit Decisions

An auditor asks why you didn't fix CVE-X. The defensible answer involves reachability evidence. Without it, the conversation gets uncomfortable.

Mar 30, 20263 min read
AI Security

Reachability vs Pure-LLM Vulnerability Scanning In 2026

Pure-LLM vulnerability scanners hit production around 2024. By 2026 their failure modes are documented. Reachability remains the backbone — and the LLM is most useful on top of it.

Mar 25, 20263 min read
DevSecOps

Reachability Analysis For Monorepos And Microservices

Reachability across a monorepo or a microservices fleet needs different engineering than reachability inside a single service. Both are tractable; both have specific failure modes.

Mar 20, 20263 min read
Application Security

Reachability Analysis for Ruby and RubyGems in 2026

Ruby reachability under metaprogramming, Rails autoloading, and Bundler groups. What bundler-audit and modern tools handle, and where they punt to over-approximation.

Mar 19, 20265 min read
reachability (Page 2) — Safeguard Blog