sca
Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.
345 articles
How the Snyk CLI's --all-projects flag discovers manifest...
A technical look at how Snyk CLI's --all-projects flag walks a repository, matches manifest files, and where directory-depth limits can leave dependencies unscanned.
Container Security Testing Methods, Compared
Image scanning, runtime monitoring, and configuration auditing all count as container security testing, but they catch different things at different stages — here's how to combine them.
Why Transitive Dependencies Are the Blind Spot in Most Vu...
Most vulnerability scans stop at direct dependencies, missing the 70-80% of your codebase that arrives transitively — where Log4Shell and other major CVEs actually hid.
Direct vs Transitive Vulnerabilities: Why the Distinction...
Most CVEs in your stack aren't in packages you chose — they're transitive. Here's why direct vs transitive vulnerabilities need different fixes and different priority.
From Log4Shell to Now: What Changed and What Didn't in Su...
Three years after Log4Shell, Log4j is still found in production systems. Here is what the industry fixed, what it didn't, and why the risk persists.
Apache Tomcat and Coyote Connector Vulnerabilities Explained
Apache tomcat vulnerabilities keep surfacing because Tomcat sits directly in the request path of so many Java applications; here is what the Coyote connector does and which vulnerability classes recur most.
Reachability Analysis in 2025: Separating Exploitable Vulnerabilities from Noise
Reachability analysis determines whether a vulnerable function is actually called by your application. The technology has matured from research concept to production tool. Here is how it works and where it falls short.
Runtime Reachability Analysis: Cutting Through Vulnerabil...
Most CVE findings are noise. Here's how runtime reachability analysis separates exploitable risk from theoretical severity, and why CVSS alone can't prioritize your patch queue.
The Quiet Consolidation of SCA, SAST, and Container Scann...
A wave of PE buyouts and platform acquisitions is quietly folding SCA, SAST, and container scanning into fewer, bigger AppSec platforms. Here's what's driving it.
Application Vulnerability Testing Methods, Compared
Application vulnerability testing spans static analysis, dynamic testing, dependency scanning, and manual review — each catches a different slice of application security vulnerabilities, and none covers all of them alone.
Spring Framework RCE Vulnerabilities: A History
From Spring4Shell to older data binding flaws, Spring framework RCE bugs keep resurfacing in the same handful of places — data binding, expression evaluation, and class loading.
Application Security Testing Tools: SAST, DAST, IAST, and SCA Compared
Four scanner families see four different slices of your risk. What SAST, DAST, IAST, and SCA each catch and miss, and how to sequence them in CI without drowning developers.