sca
Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.
345 articles
Managing Open Source Component Risk at Scale
A modern app's dozen direct dependencies can resolve into thousands of transitive packages — and CVE-2024-3094 proved a single unmaintained one is enough to backdoor SSH itself.
Native-extension vulnerabilities in Python packages
numpy, pandas, cryptography, and lxml all ship compiled C/C++ code — and a Python SCA scan that only checks package versions can miss memory-safety bugs buried in that native layer.
Software Composition Analysis Best Practices for Engineering Teams
CVE-2017-5638 was patched by Apache in March 2017, two months before Equifax was breached through it. Point-in-time SCA scans miss exactly this kind of drift.
Should open source maintainers get free enterprise security tooling?
80-90% of the average codebase is open source, built largely by unpaid maintainers — Snyk's year-old maintainer program now covers 60+ projects for free.
What a good AI remediation agent needs to fix dependencies safely
Snyk's CLI remediation agent pushed fix rates from 23% to 45% with an intelligence layer — but the harder problem is making an agent developers trust to touch their lockfile unsupervised.
False Positives in Security Scanning FAQ
Why security scanners produce so many false positives, what actually counts as one, and how reachability analysis and context reduce the noise. A practical FAQ.
How to Secure Your Open Source Dependencies
Most of your code is code you didn't write. This beginner guide covers the practical habits that keep your open-source dependencies safe, from lockfiles to scanning.
semver (npm) Security Guide (2026)
semver is the version-parsing library at the heart of npm itself — and a single ReDoS CVE in its range parser turned this universal dependency into one of the most widely flagged advisories in the JavaScript ecosystem.
Sonatype Nexus Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the leading Sonatype Nexus alternatives in 2026 — JFrog, Snyk, Mend, Black Duck, Cloudsmith, and Safeguard — with candid pros, cons, and a framework for choosing.
Spring Framework Security Guide (2026)
Spring Framework is the backbone of enterprise Java — and the source of Spring4Shell plus a steady stream of path-traversal and SSRF CVEs. Here is how to run it safely in 2026.
Transitive Dependency Risk Explained: The Code You Never Chose
Transitive dependencies are the packages your dependencies pull in, and they make up most of your codebase. Here is why they are risky and how to manage them.
Understanding Open Source Security Risk
Open source powers nearly every modern application, but the code you inherit brings risks you did not write. This guide explains where open source risk comes from, how it reaches your product, and how to manage it without abandoning the ecosystem.