Safeguard
Tag

sast

Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.

267 articles

Application Security

The Python code review security checklist: eval, pickle, and shell=True

Bandit ships named checks for eval, pickle, and shell=True — B307, B301, B602 — yet these three smells still slip past manual review into production Python.

Jul 11, 20266 min read
DevSecOps

Where Security Gates Belong in Your CI/CD Pipeline

23.8 million secrets leaked on public GitHub in 2024 alone. The fix isn't more scanners — it's putting the right gate at the right stage and tuning out the noise.

Jul 11, 20267 min read
AI Security

AI Code Generation: An Evaluation Framework for Gating Output Before Merge

NYU researchers found security weaknesses in ~40% of Copilot-generated programs. Here's how to gate AI code before it ever reaches main.

Jul 10, 20267 min read
Application Security

Detecting weak cryptographic algorithms in code

SHAttered proved a SHA-1 collision for ~$110,000 in 2017. NIST retires SHA-1 entirely by Dec 31, 2030 — here's how to find and fix MD5/SHA-1 in your code now.

Jul 10, 20267 min read
Application Security

Symbolic Reasoning vs. LLMs: Which Static Analysis Actually Finds Bugs?

The CASTLE benchmark tested 13 static analyzers and 10 LLMs on 250 programs — neither approach won outright, and the reasons why matter for your AppSec stack.

Jul 10, 20266 min read
DevSecOps

A reference architecture for automating security gates in CI/CD

29M hardcoded secrets leaked in 2025 alone. Here's a gate architecture — SAST, SCA, secrets, IaC — that catches that without adding a day to your release cycle.

Jul 9, 20267 min read
Application Security

Reducing false positives in SAST and SCA tools

NIST benchmark data puts some SAST false-positive rates near 78%. Reachability analysis and contextual triage are how teams cut that noise without missing real risk.

Jul 9, 20266 min read
AI Security

Scanning AI-Generated Code Before It Merges: Wiring Scanners into Coding Assistants with MCP

Research found ~40% of Copilot suggestions were vulnerable, and devs using AI assistants trusted their code more. MCP lets you scan before merge.

Jul 9, 20267 min read
Best Practices

The real ROI of shifting left: what early flaw detection actually saves

A 2025 data breach averages $4.44M globally and $10.22M in the US. Here's a defensible cost model for catching flaws before they ship, not after.

Jul 9, 20266 min read
Concepts

SAST vs SCA: What's the Difference? (Beginner's Guide)

SAST reads the code your team wrote, looking for insecure patterns. SCA inspects the open-source code you borrowed, looking for known vulnerabilities. One checks your writing; the other checks your ingredients.

Jul 8, 20267 min read
Buyer's Guides

Static vs Dynamic Code Analysis: An Honest 2026 Comparison

SAST vs DAST vs IAST in 2026 — what each finds, what each misses, the real tools, how reachability bridges them, and where Safeguard fits — explained without hype.

Jul 8, 20266 min read
Application Security

AI code review: what it actually catches versus misses

GitClear's 211M-line study found copy-pasted code rose from 8.3% to 12.3% of changes from 2020 to 2024 — even as AI reviewers flag more comments, the defects that matter most still slip through.

Jul 8, 20266 min read
sast (Page 3) — Safeguard Blog