Safeguard
Tag

sca

Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.

345 articles

Product

How the Snyk CLI's --all-projects flag discovers manifest...

A technical look at how Snyk CLI's --all-projects flag walks a repository, matches manifest files, and where directory-depth limits can leave dependencies unscanned.

Aug 15, 20257 min read
Containers

Container Security Testing Methods, Compared

Image scanning, runtime monitoring, and configuration auditing all count as container security testing, but they catch different things at different stages — here's how to combine them.

Aug 14, 20255 min read
Open Source Security

Why Transitive Dependencies Are the Blind Spot in Most Vu...

Most vulnerability scans stop at direct dependencies, missing the 70-80% of your codebase that arrives transitively — where Log4Shell and other major CVEs actually hid.

Aug 13, 20257 min read
Open Source Security

Direct vs Transitive Vulnerabilities: Why the Distinction...

Most CVEs in your stack aren't in packages you chose — they're transitive. Here's why direct vs transitive vulnerabilities need different fixes and different priority.

Aug 11, 20258 min read
Open Source Security

From Log4Shell to Now: What Changed and What Didn't in Su...

Three years after Log4Shell, Log4j is still found in production systems. Here is what the industry fixed, what it didn't, and why the risk persists.

Aug 10, 20258 min read
AppSec

Apache Tomcat and Coyote Connector Vulnerabilities Explained

Apache tomcat vulnerabilities keep surfacing because Tomcat sits directly in the request path of so many Java applications; here is what the Coyote connector does and which vulnerability classes recur most.

Aug 8, 20256 min read
Application Security

Reachability Analysis in 2025: Separating Exploitable Vulnerabilities from Noise

Reachability analysis determines whether a vulnerable function is actually called by your application. The technology has matured from research concept to production tool. Here is how it works and where it falls short.

Jul 28, 20258 min read
Industry Analysis

Runtime Reachability Analysis: Cutting Through Vulnerabil...

Most CVE findings are noise. Here's how runtime reachability analysis separates exploitable risk from theoretical severity, and why CVSS alone can't prioritize your patch queue.

Jul 24, 20258 min read
Open Source Security

The Quiet Consolidation of SCA, SAST, and Container Scann...

A wave of PE buyouts and platform acquisitions is quietly folding SCA, SAST, and container scanning into fewer, bigger AppSec platforms. Here's what's driving it.

Jul 15, 20258 min read
AppSec

Application Vulnerability Testing Methods, Compared

Application vulnerability testing spans static analysis, dynamic testing, dependency scanning, and manual review — each catches a different slice of application security vulnerabilities, and none covers all of them alone.

Jun 25, 20256 min read
AppSec

Spring Framework RCE Vulnerabilities: A History

From Spring4Shell to older data binding flaws, Spring framework RCE bugs keep resurfacing in the same handful of places — data binding, expression evaluation, and class loading.

Jun 24, 20256 min read
AppSec

Application Security Testing Tools: SAST, DAST, IAST, and SCA Compared

Four scanner families see four different slices of your risk. What SAST, DAST, IAST, and SCA each catch and miss, and how to sequence them in CI without drowning developers.

Jun 24, 20256 min read
sca (Page 24) — Safeguard Blog