software-composition-analysis
Safeguard articles tagged "software-composition-analysis" — guides, analysis, and best practices for software supply chain and application security.
82 articles
How Snyk handles Python dependency resolution across pip,...
How Snyk resolves Python dependency trees differently for pip, Poetry, and Pipenv, and what that means for vulnerability scan accuracy.
How Snyk Open Source scans Go modules and resolves the Go...
How Snyk Open Source reads go.mod/go.sum, builds the Go module dependency graph, and uses Minimal Version Selection to identify vulnerable versions.
How snyk monitor creates and tracks a point-in-time proje...
A technical walkthrough of how `snyk monitor` builds a dependency snapshot, stores it as a Project, and re-checks it against new CVEs after the fact.
How Snyk calculates direct versus transitive dependency v...
Snyk splits vulnerability exposure into direct and transitive dependencies using lockfile graphs, CVE version-range matching, and path-level reachability analysis.
How Snyk's reachability analysis determines whether vulne...
A technical walkthrough of how Snyk's reachability analysis builds static call graphs to determine whether vulnerable dependency functions are actually invoked by your code.
How reachability analysis coverage differs across Java, J...
Snyk's reachability analysis works differently across Java, JavaScript, and Python — here's why static, typed Java gets deeper coverage than dynamic Python and JS call graphs.
How Snyk's default license policy is structured and how t...
How Snyk structures its default license policy—severity tiers, unknown-license handling, and PR enforcement—and the concrete steps to customize it for your org.
How Snyk's CLI test command differs technically from the ...
A technical breakdown of how Snyk's snyk test and snyk monitor commands differ mechanically — exit codes, dependency snapshots, and continuous vulnerability tracking.
How Snyk's Eclipse plugin integrates open source and code...
A mechanical look at how Snyk's Eclipse plugin surfaces open source and code scan findings as native markers in the IDE's Problems view.
How Snyk's Visual Studio extension scans .NET solutions f...
How Snyk's Visual Studio extension resolves .NET dependency trees, matches NuGet packages against its vulnerability database, and surfaces results in-editor.
Binary SBOM Analysis: Creating Software Bills of Materials Without Source Code
Not all software comes with source code. Binary analysis techniques can extract component information from compiled artifacts, firmware, and commercial software to produce SBOMs where traditional tools cannot.
SCA Security Testing: A Workflow Guide
SCA security testing only works when it's wired into an actual development workflow — here's what that pipeline looks like from commit to merge to production monitoring.