sca
Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.
345 articles
A vendor-neutral framework for software supply chain security tools
Supply chain tooling splits into four distinct categories with different failure modes — the xz-utils backdoor slipped past most of them for over two years.
Affordable SCA Tool FAQ: Real Software Composition Analysis for $1
How to get affordable software composition analysis in 2026 — what SCA should cost, why free scanners aren't really free, and how Safeguard's $1 Starter plan delivers real SCA.
Axios Security Guide (2026)
Axios is the most popular HTTP client in the JavaScript ecosystem — and its SSRF and credential-leak CVEs make its version and configuration security-relevant. Here is how to run it safely.
The Best Open Source Security Tools in 2026
You can build a capable security program from free tools. This balanced guide compares Trivy, Grype and Syft, OSV-Scanner, OWASP Dependency-Check, and Dependency-Track — and is honest about when a commercial platform earns its cost.
How to Choose a Security Scanner
There are dozens of security scanners and the marketing all sounds the same. This beginner guide gives you a simple, hands-on way to pick the right one.
How to Remediate Transitive Dependency Vulnerabilities
Fix vulnerabilities in the nested packages you never installed directly — trace the import chain, choose between upgrading the parent or overriding the child, and verify the fix without breaking builds.
JFrog Xray Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the top JFrog Xray alternatives in 2026 — Snyk, Sonatype, Mend, Trivy, Anchore, and Safeguard — with candid pros, cons, and a way to choose.
Securing AI-Generated Code FAQ: What Breaks and How to Fix It in 2026
Practical answers on securing AI-generated code — the vulnerability patterns models produce, why volume defeats manual review, hallucinated dependencies, and how Safeguard scans and auto-fixes at merge time.
Source Code Analysis Explained: A Practical 2026 Guide
What source code analysis actually is in 2026 — the categories, the real tools, how it relates to SCA and reachability, and where Safeguard fits — explained honestly and without hype.
tar (node-tar) Security Guide (2026)
node-tar is the archive engine underneath npm install itself — and a cluster of path-traversal and symlink CVEs made 'just extracting a tarball' one of the more dangerous operations in the Node.js ecosystem.
What Is Reachability Analysis in Security?
Reachability analysis determines whether a vulnerable piece of code can actually be executed from your application — cutting through the noise of vulnerabilities that exist but can never be triggered. Here's how it slashes false positives.
Apache Struts and the recurring pattern of path-traversal and RCE bugs
Equifax lost data on 147 million people to one unpatched Struts CVE in 2017 — and the same class of bug resurfaced in Struts as recently as December 2023.