sca
Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.
345 articles
Checkmarx vs WhiteSource (Mend) Buyer Comparison 2026
A 2026 head-to-head buyer comparison of Checkmarx and Mend (formerly WhiteSource): SCA depth, SAST, reachability, AI features, pricing, and decision framework.
SonarQube SCA Capability Review 2026
A working review of SonarQube's SCA capability in 2026, comparing it against dedicated SCA tools on coverage, reachability, policy depth, and developer experience.
Dependabot Alternatives in 2026: A Buyer Rubric
A buyer rubric for evaluating Dependabot alternatives in 2026, covering update strategy, ecosystem coverage, reachability, and operational realities.
Zip Slip: archive extraction path traversal explained
Zip Slip lets malicious archives write files outside their extraction folder via ../ paths — how it works, real CVEs, and how to detect and fix it.
Semgrep Supply Chain: April 2026 Update Reviewed
Semgrep's April 2026 release added dedicated advisory pages, dependency path data in SBOM exports, a Guardian Supply Chain hook, and Maven/Gradle scanning without lockfiles.
FOSSA vs Snyk SCA Comparison 2026
Two SCA platforms with very different roots: FOSSA from license compliance, Snyk from vulnerability scanning. Which one fits which buyer profile in 2026?
Open source license management and scanning
33% of codebases ship components with no discernible license, and Aikido's manifest-based scanning still misses vendored code and stale registry metadata. Here's what real license compliance requires.
Transitive dependency vulnerabilities explained
A vulnerability three layers deep in your dependency graph is still your problem. Here's how transitive flaws like Log4Shell hide, spread, and get fixed.
Open source security audits: what they cover
What an open source security audit actually covers versus routine SCA scanning, the frameworks that define it, real costs and timelines, and how Aikido Security's approach compares.
Semantic Reachability vs Call-Graph Reachability in 2026
Call graphs say a function is reachable. Semantic reachability asks whether the preconditions for exploitation hold. The difference matters for prioritization.
Reachability analysis for prioritizing vulnerabilities
Reachability analysis cuts vulnerability noise by 70-90% by tracing which CVEs are actually callable from your code, not just present in your dependency tree.
What is Trivy and how it compares to other open-source sc...
Trivy is Aqua Security's free open-source scanner for containers, IaC, and dependencies. Here's how it compares to Grype, Clair, and Snyk—and where it falls short.