Safeguard
Tag

sca

Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.

345 articles

Application Security

What is a Fix PR (Automated Fix Pull Request)

Fix PRs auto-generate code changes for known CVEs, but without reachability analysis they can flood queues with noise or reintroduce risk on merge.

Jan 21, 20267 min read
AppSec

Application Security Companies: An Evaluation Checklist

A concrete checklist for evaluating application security companies in 2026 — coverage, false-positive handling, integration depth, and the questions vendor demos are designed to dodge.

Jan 15, 20265 min read
AppSec

AppSec Solutions: A Market Map for 2026

The appsec solutions market has consolidated around a handful of shapes — code-first platforms, cloud-native suites, and point scanners — and picking the right shape matters more than picking a brand.

Jan 14, 20265 min read
Regulatory Compliance

PCI DSS software composition analysis requirements for pa...

What PCI DSS 4.0.1 actually requires for tracking third-party and open-source code in payment software, and how SBOMs and SCA tooling satisfy it.

Jan 5, 20267 min read
Vulnerability Analysis

lodash property injection via merge functions (CVE-2018-16487)

CVE-2018-16487 let attackers pollute Object.prototype via lodash's merge, mergeWith, and defaultsDeep functions. Here's how it works and how to fix it.

Jan 4, 20267 min read
SBOM

Best SBOM management and analysis platforms

A practical buyer's guide to SBOM management platforms in 2026 -- evaluation criteria plus an honest look at six real vendors and where each one falls short.

Nov 19, 20257 min read
Application Security

Insufficient Encapsulation Vulnerabilities

An insufficient encapsulation vulnerability (CWE-485) exposes internal state to untrusted code. See how it drove real CVEs in Velocity, Lodash, and BeanUtils.

Nov 10, 20257 min read
Open Source Security

Mobile app dependency vulnerability trends

Mobile apps now ship more third-party code than first-party. Safeguard's analysis breaks down where dependency vulnerabilities cluster and why.

Nov 9, 20257 min read
Tools

Trivy v0.69 Release Deep Dive

Aqua's Trivy hit v0.69 in late 2025 with VEX-by-default scanning, ArtifactID/ReportID provenance fields, and faster misconfig scanning. We test the upgrade on a 1.2GB image.

Nov 4, 20255 min read
Software Supply Chain Security

Known Vulnerabilities in Dependencies: Detection and Triage

Known vulnerabilities in dependencies aren't a detection problem — they're a triage problem. Here's how CVEs get exploited, why CVSS alone misleads, and how to prioritize fixes.

Nov 4, 20258 min read
Software Supply Chain Security

Outdated Software Components: Quantifying the Risk

Outdated dependencies sit in nearly every codebase. Here's what Equifax and Log4Shell reveal about the real cost of unpatched software supply chain risk.

Nov 3, 20258 min read
Concepts

What Is OSV (Open Source Vulnerabilities)?

OSV is an open, ecosystem-native vulnerability database that expresses affected versions in precise, machine-matchable ranges. Here is how it works and why scanners rely on it.

Oct 21, 20256 min read
sca (Page 22) — Safeguard Blog