static-analysis
Safeguard articles tagged "static-analysis" — guides, analysis, and best practices for software supply chain and application security.
106 articles
Insecure defaults in Azure ARM templates: a pre-deployment scanning guide
Azure Resource Manager templates don't enforce TLS 1.2 or block public blob access by default — here's how to catch it before terraform apply's Azure cousin ever runs.
ESLint rules for detecting Trojan Source (bidi Unicode) attacks in JS/TS
A single invisible Unicode character can flip how code executes versus how it reads on screen. Here's how to configure ESLint to catch it.
Comparing open-source tools for secure Java code review
SpotBugs checks 400+ bug patterns, Find Security Bugs adds 144 more, and CodeQL needs a full build — no single free Java scanner covers everything.
Integrating C/C++ security scanning into CI pipelines
Roughly 70% of CVEs Microsoft assigns each year are memory-safety bugs. Here's how to catch them in C/C++ CI pipelines before they ship.
Python linting for security hygiene: what flake8, pylint, and bandit actually catch
Bandit maps findings to CWE IDs like CWE-502 and CWE-78, but flake8 and pylint never look for a vulnerability at all — the three tools solve different problems.
Modern C++ security: smart pointers, bounds checking, and static analysis
Microsoft has said for years that ~70% of the CVEs it patches trace to memory-safety bugs — here's how modern C++ actually closes that gap.
How modern SAST engines model data flow and taint tracking
Linters flag every eval() call; SAST tools flag the two an attacker can reach. Here's how taint tracking works, and what it costs in precision and compute.
Symbolic Reasoning vs. LLMs: Which Static Analysis Actually Finds Bugs?
The CASTLE benchmark tested 13 static analyzers and 10 LLMs on 250 programs — neither approach won outright, and the reasons why matter for your AppSec stack.
Static vs Dynamic Code Analysis: An Honest 2026 Comparison
SAST vs DAST vs IAST in 2026 — what each finds, what each misses, the real tools, how reachability bridges them, and where Safeguard fits — explained without hype.
AI code review: what it actually catches versus misses
GitClear's 211M-line study found copy-pasted code rose from 8.3% to 12.3% of changes from 2020 to 2024 — even as AI reviewers flag more comments, the defects that matter most still slip through.
How AI-powered SAST auto-fix engines actually work
GitHub says Copilot Autofix resolves two-thirds of flagged vulnerabilities with little editing; Snyk claims 80% fix accuracy. Here's the pipeline behind both numbers.
Memory-Safety Vulnerabilities in C/C++: What Static and Dynamic Analysis Actually Catch
Roughly 70% of the CVEs Microsoft and Google's Chrome team assign each year trace to memory-unsafe C/C++ code — how static analysis, sanitizers, and fuzzers each catch a different slice of it.