sast
Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.
267 articles
The Python code review security checklist: eval, pickle, and shell=True
Bandit ships named checks for eval, pickle, and shell=True — B307, B301, B602 — yet these three smells still slip past manual review into production Python.
Where Security Gates Belong in Your CI/CD Pipeline
23.8 million secrets leaked on public GitHub in 2024 alone. The fix isn't more scanners — it's putting the right gate at the right stage and tuning out the noise.
AI Code Generation: An Evaluation Framework for Gating Output Before Merge
NYU researchers found security weaknesses in ~40% of Copilot-generated programs. Here's how to gate AI code before it ever reaches main.
Detecting weak cryptographic algorithms in code
SHAttered proved a SHA-1 collision for ~$110,000 in 2017. NIST retires SHA-1 entirely by Dec 31, 2030 — here's how to find and fix MD5/SHA-1 in your code now.
Symbolic Reasoning vs. LLMs: Which Static Analysis Actually Finds Bugs?
The CASTLE benchmark tested 13 static analyzers and 10 LLMs on 250 programs — neither approach won outright, and the reasons why matter for your AppSec stack.
A reference architecture for automating security gates in CI/CD
29M hardcoded secrets leaked in 2025 alone. Here's a gate architecture — SAST, SCA, secrets, IaC — that catches that without adding a day to your release cycle.
Reducing false positives in SAST and SCA tools
NIST benchmark data puts some SAST false-positive rates near 78%. Reachability analysis and contextual triage are how teams cut that noise without missing real risk.
Scanning AI-Generated Code Before It Merges: Wiring Scanners into Coding Assistants with MCP
Research found ~40% of Copilot suggestions were vulnerable, and devs using AI assistants trusted their code more. MCP lets you scan before merge.
The real ROI of shifting left: what early flaw detection actually saves
A 2025 data breach averages $4.44M globally and $10.22M in the US. Here's a defensible cost model for catching flaws before they ship, not after.
SAST vs SCA: What's the Difference? (Beginner's Guide)
SAST reads the code your team wrote, looking for insecure patterns. SCA inspects the open-source code you borrowed, looking for known vulnerabilities. One checks your writing; the other checks your ingredients.
Static vs Dynamic Code Analysis: An Honest 2026 Comparison
SAST vs DAST vs IAST in 2026 — what each finds, what each misses, the real tools, how reachability bridges them, and where Safeguard fits — explained without hype.
AI code review: what it actually catches versus misses
GitClear's 211M-line study found copy-pasted code rose from 8.3% to 12.3% of changes from 2020 to 2024 — even as AI reviewers flag more comments, the defects that matter most still slip through.