sast
Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.
267 articles
SAST Tools: A Shortlist Worth Evaluating
A working sast tools list should separate what free sast tools handle well from what only becomes worthwhile once you're paying for language coverage, tuning, and CI/CD depth.
Open redirect vulnerabilities explained
Open redirect flaws (CWE-601) score as medium severity alone, but they power real phishing campaigns against Google, Amex, and Microsoft. Here's how they work and how to stop them.
Type confusion vulnerabilities explained
Type confusion bugs let attackers corrupt memory by exploiting mismatched type assumptions. See real CVEs, how JIT engines fail, and how to catch it early.
Format string vulnerabilities explained
Format string bugs let attackers turn a printf call into memory disclosure or arbitrary writes. Here's how CWE-134 works, real CVEs, and fixes.
Code Security Scanners: Choosing One for Your Stack
The right code security scanner depends less on which vendor's marketing sounds best and more on language coverage, false-positive rate, and whether it fits into the workflow developers already use.
Insufficient Encapsulation Vulnerabilities
An insufficient encapsulation vulnerability (CWE-485) exposes internal state to untrusted code. See how it drove real CVEs in Velocity, Lodash, and BeanUtils.
Code Injection via eval() and exec() Across Languages
eval() and exec() turn dynamic code execution into remote code execution. A cross-language look at how it happens in Python, JS, PHP, and Ruby.
Best AI and LLM generated code security scanning tools
An honest buyer's guide to AI generated code security scanning tools: what to evaluate, how six real vendors stack up, and where they fall short.
Fortify Scan vs Modern SAST Tools: What Changed
A Fortify scan still catches classic code-level flaws well, but the SAST category has moved toward faster feedback and reachability-aware prioritization since Fortify's architecture was designed.
Semgrep Community Fall 2025: Native Windows and 3x Multicore
Semgrep's Fall 2025 Community Edition ships native Windows binaries, a memory-efficient multicore engine, and up to 3x scan speedups. We benchmarked it.
SQL Injection Prevention in Node.js/JavaScript
SQL injection still hits Node.js apps through raw drivers, Sequelize, Prisma, and Knex alike. Here's how it happens, what safe queries look like, and how to catch it in CI.
Path Traversal Prevention in JavaScript/Node.js with path...
path.normalize() alone will not stop path traversal in Node.js. Real CVEs like node-tar show why resolve-then-compare beats normalize-then-trust.