sast
Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.
267 articles
A vendor-neutral framework for evaluating SAST tools
OWASP's Benchmark suite has run 2,740 fixed Java test cases since 2016, yet most SAST comparisons still amount to a vendor's self-reported false-positive number.
Thymeleaf SSTI risk patterns: how a tab character bypassed a Java template sandbox
CVE-2026-40478 shows how a single tab character bypassed Thymeleaf's expression sandbox, turning misused templates into remote code execution.
Best SAST Tools in 2026: A Buyer's Guide to Static Analysis
A balanced 2026 comparison of the leading static application security testing tools — Semgrep, CodeQL, SonarQube, Snyk Code, Checkmarx, and Fortify — with an honest look at where Safeguard fits.
The gosec Static Analysis Guide: Rules, CI, and Taming False Positives
gosec catches hardcoded secrets, weak crypto, unsafe SQL, and command injection in Go — but only if you run it well and triage it honestly. A practical guide to the rules that matter and the noise that doesn't.
Source Code Analysis Explained: A Practical 2026 Guide
What source code analysis actually is in 2026 — the categories, the real tools, how it relates to SCA and reachability, and where Safeguard fits — explained honestly and without hype.
Choosing a security tool for AI-generated code
GitHub reported in 2024 that Copilot writes up to 46% of code in enabled files — the same vulnerability classes humans write, now shipped at machine speed.
Preventing SQL injection in Node.js applications
CWE-89 is a 25-year-old bug class, but Node's template literals make it trivially easy to reintroduce in mysql2, pg, and even Sequelize's raw-query escape hatch.
Can an LLM find the same bug twice? What repeatability benchmarking reveals
In a 300-run benchmark, the best LLM scanner hit 75.4% F1 while a deterministic SAST baseline hit 100% — but the real story is in what varies between runs.
Should open source maintainers get free enterprise security tooling?
80-90% of the average codebase is open source, built largely by unpaid maintainers — Snyk's year-old maintainer program now covers 60+ projects for free.
Top SAST Auto-Fixing Tools in 2026: An Honest Buyer's Guide
A balanced 2026 comparison of SAST tools that auto-fix findings — GitHub Copilot Autofix, Semgrep, Snyk, SonarQube, Mobb, Pixee — with honest tradeoffs and where Safeguard fits.
Introducing First-Party SAST and DAST: One Findings Model Across Code and Runtime
Safeguard is extending the platform with first-party static (SAST) and dynamic (DAST) application security testing — sharing one unified findings model with SCA, secrets, container, and IaC, with defensive-only DAST that only ever touches targets you've proven you own.
PHP Code Review Tools: An Honest 2026 Buyer's Guide
A balanced 2026 comparison of PHP code review and static-analysis tools — PHPStan, Psalm, PHP_CodeSniffer, progpilot, Semgrep, SonarQube — with honest tradeoffs and where Safeguard fits.