Safeguard
Tag

sast

Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.

267 articles

Application Security

A vendor-neutral framework for evaluating SAST tools

OWASP's Benchmark suite has run 2,740 fixed Java test cases since 2016, yet most SAST comparisons still amount to a vendor's self-reported false-positive number.

Jul 8, 20266 min read
Application Security

Thymeleaf SSTI risk patterns: how a tab character bypassed a Java template sandbox

CVE-2026-40478 shows how a single tab character bypassed Thymeleaf's expression sandbox, turning misused templates into remote code execution.

Jul 8, 20266 min read
Buyer's Guides

Best SAST Tools in 2026: A Buyer's Guide to Static Analysis

A balanced 2026 comparison of the leading static application security testing tools — Semgrep, CodeQL, SonarQube, Snyk Code, Checkmarx, and Fortify — with an honest look at where Safeguard fits.

Jul 7, 20266 min read
Security Guides

The gosec Static Analysis Guide: Rules, CI, and Taming False Positives

gosec catches hardcoded secrets, weak crypto, unsafe SQL, and command injection in Go — but only if you run it well and triage it honestly. A practical guide to the rules that matter and the noise that doesn't.

Jul 7, 20266 min read
Buyer's Guides

Source Code Analysis Explained: A Practical 2026 Guide

What source code analysis actually is in 2026 — the categories, the real tools, how it relates to SCA and reachability, and where Safeguard fits — explained honestly and without hype.

Jul 7, 20267 min read
AI Security

Choosing a security tool for AI-generated code

GitHub reported in 2024 that Copilot writes up to 46% of code in enabled files — the same vulnerability classes humans write, now shipped at machine speed.

Jul 7, 20267 min read
Application Security

Preventing SQL injection in Node.js applications

CWE-89 is a 25-year-old bug class, but Node's template literals make it trivially easy to reintroduce in mysql2, pg, and even Sequelize's raw-query escape hatch.

Jul 7, 20267 min read
Application Security

Can an LLM find the same bug twice? What repeatability benchmarking reveals

In a 300-run benchmark, the best LLM scanner hit 75.4% F1 while a deterministic SAST baseline hit 100% — but the real story is in what varies between runs.

Jul 7, 20266 min read
Open Source Security

Should open source maintainers get free enterprise security tooling?

80-90% of the average codebase is open source, built largely by unpaid maintainers — Snyk's year-old maintainer program now covers 60+ projects for free.

Jul 7, 20266 min read
Buyer's Guides

Top SAST Auto-Fixing Tools in 2026: An Honest Buyer's Guide

A balanced 2026 comparison of SAST tools that auto-fix findings — GitHub Copilot Autofix, Semgrep, Snyk, SonarQube, Mobb, Pixee — with honest tradeoffs and where Safeguard fits.

Jul 6, 20266 min read
Product

Introducing First-Party SAST and DAST: One Findings Model Across Code and Runtime

Safeguard is extending the platform with first-party static (SAST) and dynamic (DAST) application security testing — sharing one unified findings model with SCA, secrets, container, and IaC, with defensive-only DAST that only ever touches targets you've proven you own.

Jul 5, 20264 min read
Buyer's Guides

PHP Code Review Tools: An Honest 2026 Buyer's Guide

A balanced 2026 comparison of PHP code review and static-analysis tools — PHPStan, Psalm, PHP_CodeSniffer, progpilot, Semgrep, SonarQube — with honest tradeoffs and where Safeguard fits.

Jul 5, 20266 min read
sast (Page 6) — Safeguard Blog