sca
Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.
345 articles
What is a Fix PR (Automated Fix Pull Request)
Fix PRs auto-generate code changes for known CVEs, but without reachability analysis they can flood queues with noise or reintroduce risk on merge.
Application Security Companies: An Evaluation Checklist
A concrete checklist for evaluating application security companies in 2026 — coverage, false-positive handling, integration depth, and the questions vendor demos are designed to dodge.
AppSec Solutions: A Market Map for 2026
The appsec solutions market has consolidated around a handful of shapes — code-first platforms, cloud-native suites, and point scanners — and picking the right shape matters more than picking a brand.
PCI DSS software composition analysis requirements for pa...
What PCI DSS 4.0.1 actually requires for tracking third-party and open-source code in payment software, and how SBOMs and SCA tooling satisfy it.
lodash property injection via merge functions (CVE-2018-16487)
CVE-2018-16487 let attackers pollute Object.prototype via lodash's merge, mergeWith, and defaultsDeep functions. Here's how it works and how to fix it.
Best SBOM management and analysis platforms
A practical buyer's guide to SBOM management platforms in 2026 -- evaluation criteria plus an honest look at six real vendors and where each one falls short.
Insufficient Encapsulation Vulnerabilities
An insufficient encapsulation vulnerability (CWE-485) exposes internal state to untrusted code. See how it drove real CVEs in Velocity, Lodash, and BeanUtils.
Mobile app dependency vulnerability trends
Mobile apps now ship more third-party code than first-party. Safeguard's analysis breaks down where dependency vulnerabilities cluster and why.
Trivy v0.69 Release Deep Dive
Aqua's Trivy hit v0.69 in late 2025 with VEX-by-default scanning, ArtifactID/ReportID provenance fields, and faster misconfig scanning. We test the upgrade on a 1.2GB image.
Known Vulnerabilities in Dependencies: Detection and Triage
Known vulnerabilities in dependencies aren't a detection problem — they're a triage problem. Here's how CVEs get exploited, why CVSS alone misleads, and how to prioritize fixes.
Outdated Software Components: Quantifying the Risk
Outdated dependencies sit in nearly every codebase. Here's what Equifax and Log4Shell reveal about the real cost of unpatched software supply chain risk.
What Is OSV (Open Source Vulnerabilities)?
OSV is an open, ecosystem-native vulnerability database that expresses affected versions in precise, machine-matchable ranges. Here is how it works and why scanners rely on it.