sast
Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.
267 articles
Where AI actually helps AppSec — and where it quietly makes things worse
One 2025 benchmark found an LLM filter cut Semgrep's false positives by 88.6% — while a separate study found GPT-4 alone flagging vulnerabilities was wrong more often than right.
How AI-powered SAST auto-fix engines actually work
GitHub says Copilot Autofix resolves two-thirds of flagged vulnerabilities with little editing; Snyk claims 80% fix accuracy. Here's the pipeline behind both numbers.
ASPM fundamentals: what application security posture management actually aggregates
Gartner coined the ASPM term in May 2023 and projects over 40% of organizations building software will adopt it by 2026 — here is what it actually does.
ASPM fundamentals for security teams
Gartner projects over 40% of organizations will adopt Application Security Posture Management by 2026 — here's what it actually aggregates and how to judge if yours is working.
A framework for integrating ASPM into an existing AppSec program
Gartner defined ASPM in May 2023 as a correlation layer, not a rip-and-replace — here's how to fold it into a toolchain you already run.
Python code injection: eval, exec, and pickle explained
eval(), exec(), and pickle.load() can each hand an attacker a Python interpreter — CVE-2020-1747 shows how one unsafe deserialization call became a real RCE.
Code injection risks in GenAI-generated code
Nearly 40% of GitHub Copilot's suggested programs contain exploitable vulnerabilities, and 19.7% of AI-generated code samples reference packages that don't exist.
Command injection in Python: subprocess, os.system, and safe-by-default patterns
os.system() and subprocess.run(shell=True) both hand a string straight to /bin/sh — one unescaped semicolon is enough to run arbitrary commands.
Why AI-generated code needs DAST, not just SAST
Copilot-generated code carried vulnerabilities in ~40% of cases in a 2021 NYU study. Static scanning alone cannot catch the runtime-only bug classes LLMs introduce.
The four-phase roadmap for adopting DevSecOps
Google Cloud's 2024 DORA report found AI-tool adoption correlated with worse delivery performance for the second year running — tool sprawl without a plan makes DevSecOps worse, not better.
A reference architecture for SAST, SCA, and DAST gates that don't block developers
Log4Shell sat exploitable for 8 days before public disclosure in December 2021 — the canonical case for why security gates belong in CI, not just at release.
Command injection in Go: os/exec, exec.Command, and how it still goes wrong
Go's exec.Command never invokes a shell — yet CWE-78 command injection keeps shipping in Go services. Here's exactly how, and how gosec's G204 rule catches it.