sca
Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.
345 articles
How to Audit npm Dependencies for Vulnerabilities
Go beyond npm audit's noisy output — resolve your dependency tree, prioritize by reachability, and fix both direct and transitive vulnerabilities in a Node.js project the right way.
Log4j Security Guide (2026)
Log4j is the most widely deployed Java logging library — and the source of Log4Shell, the defining supply-chain vulnerability of the decade. Here is how to run it safely in 2026.
Mend Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the top Mend alternatives in 2026 — Snyk, Sonatype, Black Duck, Endor Labs, Dependabot, and Safeguard — with candid pros, cons, and guidance on choosing.
minimist Security Guide (2026)
minimist is the tiny argument parser buried under a huge slice of the npm ecosystem — and two prototype-pollution CVEs made this 'harmless' 100-line library one of the most widely flagged transitive dependencies in JavaScript.
Scala Security Best Practices: JVM Supply Chain, Deserialization, and Framework CVEs
Scala's expressive type system does nothing about the JVM attack surface underneath it. Log4Shell, Jackson gadget chains, and Spark's command-injection CVE all reach Scala code directly.
Sonatype vs JFrog Xray: A Neutral Comparison for 2026
Sonatype and JFrog Xray both secure the software supply chain from the artifact repository outward, but they anchor to different platforms and philosophies. An honest side-by-side, plus a third option.
Supply Chain Attacks FAQ: 2026 Threats Explained
Answers to the most common questions about software supply chain attacks in 2026 — how they work, famous examples, the main techniques, and how to defend against them.
Vulnerability Management FAQ: Process, Tooling, and SLAs
What vulnerability management actually involves — discovery, triage, prioritization, remediation, and verification — answered as a practical FAQ for security and engineering teams.
.NET Dependency Vulnerability Scanning: A Practical Guide
How to scan .NET dependencies for known vulnerabilities using dotnet list package, NuGet audit, and reachability-aware SCA, and how to wire it into CI so nothing ships with a known critical.
The Best Dependency Scanning Tools in 2026
Dependency scanning is crowded and the tools differ more than the marketing suggests. This balanced guide compares Dependabot, Snyk, Mend, Trivy, Socket, and Safeguard on accuracy, prioritization, and remediation.
Black Duck Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the leading Black Duck alternatives in 2026 — Snyk, Mend, Sonatype, FOSSA, Trivy, and Safeguard — with candid pros, cons, and a framework for choosing.
The Go Vulnerability Scanning Guide: govulncheck, Reachability, and CI
Most scanners tell you a CVE exists somewhere in go.sum. govulncheck tells you whether your code can actually reach it. Here's how Go's reachability-based scanning works and how to run it well.