sast
Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.
267 articles
CodeQL 2.22 Security Query Pack Review
GitHub's CodeQL 2.22.4 runs 478 security queries by default across 169 CWEs. We map the new queries added in 2025 and benchmark scan times on real repos.
Why Snyk Agent Fix scopes fixes to a single file, and wha...
Snyk Agent Fix patches one file per finding. Here's why that scope exists, which vulnerability classes need multi-file fixes, and how to catch what a single-file patch leaves behind.
Reading a SAST Report: Findings, Traces, and Triage
A SAST report is a list of claims, not a list of bugs. How to read data-flow traces, judge severity honestly, and run a triage workflow that keeps the queue moving.
How Snyk Code's detection differs across Java, JavaScript...
Snyk Code applies one hybrid AI-plus-symbolic engine to ten languages, but rule depth, autofix coverage, and taint tracking vary widely by language.
How Snyk Code integrates with GitHub Advanced Security th...
A technical walkthrough of how Snyk Code's SARIF output is generated, uploaded, and deduplicated inside GitHub Advanced Security's code scanning pipeline.
How Snyk Code's confidence scoring separates high-confide...
How Snyk Code's confidence scoring works under the hood, and why "high confidence" and "severity" are not the same axis for triage.
How Snyk Code analyzes API usage patterns to catch insecu...
A technical look at how Snyk Code's symbolic engine and taint tracking flag insecure API calls like weak crypto, XXE, and SSRF before code ships.
How Snyk Code detects path traversal vulnerabilities thro...
How Snyk Code uses interprocedural data-flow tracing—not regex matching—to catch path traversal (CWE-22) by connecting tainted sources to file-system sinks.
How Snyk Code's duplicate and similar-code detection supp...
Snyk Code once shipped duplicate and similar-code detection under its Code Quality rules. Here's how it worked, and what its 2025 retirement means for teams.
GenAI Code Review Tools: A 2025 Field Test
We field-tested five GenAI code review tools against 240 seeded security defects to see which catch real issues and which hallucinate findings.
A Checkmarx Scan: What It Actually Analyzes
A breakdown of what a Checkmarx scan actually analyzes under the hood, what its static analysis engine catches well, and where teams typically add another tool alongside it.
Mobile Application Security Assessment: How It's Actually Done
What a mobile application security assessment actually involves, from static binary analysis through dynamic testing on real devices, and where it differs from a web app pen test.