reachability
Safeguard articles tagged "reachability" — guides, analysis, and best practices for software supply chain and application security.
50 articles
Semantic Reachability vs Call-Graph Reachability in 2026
Call graphs say a function is reachable. Semantic reachability asks whether the preconditions for exploitation hold. The difference matters for prioritization.
Zero-Day Discovery With LLM-Augmented Reachability: A Safeguard Engine Walkthrough
Pattern-matching scanners miss zero-days by definition. An engine that follows taint across package boundaries plus a model that hypothesizes exploit conditions can find what either would miss alone. Here is how that pipeline works end to end.
Solve SCA False Positive Overload With Reachability Analysis
SCA tools produce more findings than any team can review. Reachability analysis is the filter that turns the haystack into a queue your engineers will actually finish.
cdxgen v12: Reachability Evidence Lands in SBOMs
OWASP's cdxgen v12 ships reachability evidence powered by atom, multi-BOM generation (SBOM, CBOM, SaaSBOM, OBOM, CDXA), and CycloneDX 1.7 as the default. We tested it on a Java monorepo.
Reachability Analysis for JavaScript and TypeScript in 2026
JS reachability with npm's nested trees, dynamic require, ESM/CJS interop, and bundler dead code elimination. What modern tools resolve and what they punt.
How Reachability Cuts Your Vulnerability Backlog 80%
The 80% backlog reduction from reachability isn't marketing. It's a measurable property of how transitive dependency graphs actually expose risk to a specific application.
Prioritising CVE Patches With Reachability, Not CVSS Alone
CVSS by itself produces a queue ordered by hypothetical severity. Reachability orders by actual exposure. Mixing the two correctly is where mature programs land.
Next-Gen SCA Explained: What Changed in 2026
Next-gen SCA tools moved past package-tree scanning to reachability, runtime context, and exploit signal. Here's what actually changed and why it matters.
Using Reachability To Defend SOC 2 Audit Decisions
An auditor asks why you didn't fix CVE-X. The defensible answer involves reachability evidence. Without it, the conversation gets uncomfortable.
Reachability vs Pure-LLM Vulnerability Scanning In 2026
Pure-LLM vulnerability scanners hit production around 2024. By 2026 their failure modes are documented. Reachability remains the backbone — and the LLM is most useful on top of it.
Reachability Analysis For Monorepos And Microservices
Reachability across a monorepo or a microservices fleet needs different engineering than reachability inside a single service. Both are tractable; both have specific failure modes.
Reachability Analysis for Ruby and RubyGems in 2026
Ruby reachability under metaprogramming, Rails autoloading, and Bundler groups. What bundler-audit and modern tools handle, and where they punt to over-approximation.