software-composition-analysis
Safeguard articles tagged "software-composition-analysis" — guides, analysis, and best practices for software supply chain and application security.
82 articles
Open source license risk in M&A due diligence
Open source license conflicts hide in most acquisition targets' codebases. Here's why manifest-based SCA tools like Mend.io miss them in M&A diligence — and what a real audit needs.
Snyk Open Source vs Safeguard SCA
Two developer-first SCA tools, one honest comparison: vulnerability data, fix automation, noise levels, pricing models, and where each one actually fits.
Axios npm Vulnerabilities: The Full CVE History and Patch Guide
Every notable axios npm vulnerability, from the 2019 DoS to the 2025 SSRF, with the fixed versions and a patch path that also catches the transitive ones.
Endor Labs vs Safeguard: Reachability-Based SCA Compared
How Endor Labs and Safeguard both use reachability analysis to cut SCA noise, and where their scope and approach to supply chain security diverge.
Reachability Analysis Explained: Function-Level vs Packag...
Package-level reachability flags 60% of CVEs as "reachable." Function-level analysis, tracing real call paths, cuts that to under 10%. Here's the difference.
Automated Dependency Patches: How Endor-Style Patch Gener...
Endor Labs generates automated dependency patches using reachability and AI rewrites. Here's how the pipeline works, where it breaks, and Safeguard's approach.
Aikido vs Socket: supply chain security comparison
Aikido bundles SAST/DAST/SCA into one ASPM platform; Socket digs into package behavior. Here's where Safeguard's provenance-first approach fits between them.
jQuery prototype pollution vulnerability re-emerges
jQuery's prototype pollution flaw (CVE-2019-11358) keeps surfacing in 2026 dependency scans. Here's why it persists and how to remediate it.
Open source dependency vulnerability scanning explained
How open source vulnerability scanning works, why false positives plague tools like Aikido, and how reachability and SBOMs cut real triage time.
Software Composition Analysis (SCA)
SCA finds every open source package in your code and flags known CVEs against it. Here's how it works, its blind spots, and how to fix them.
SAST vs SCA Testing
SAST scans the code you wrote; SCA scans the code you imported. Here's the real difference, with Equifax, Log4Shell, and xz as case studies.
SCA vs SBOM: What's the Difference
SCA and SBOM aren't the same thing: one is a scanning process, the other is a compliance artifact. Here's how they differ and why you need both.