Safeguard
Tag

static-analysis

Safeguard articles tagged "static-analysis" — guides, analysis, and best practices for software supply chain and application security.

106 articles

Cloud Security

Insecure defaults in Azure ARM templates: a pre-deployment scanning guide

Azure Resource Manager templates don't enforce TLS 1.2 or block public blob access by default — here's how to catch it before terraform apply's Azure cousin ever runs.

Jul 16, 20267 min read
Application Security

ESLint rules for detecting Trojan Source (bidi Unicode) attacks in JS/TS

A single invisible Unicode character can flip how code executes versus how it reads on screen. Here's how to configure ESLint to catch it.

Jul 16, 20266 min read
Application Security

Comparing open-source tools for secure Java code review

SpotBugs checks 400+ bug patterns, Find Security Bugs adds 144 more, and CodeQL needs a full build — no single free Java scanner covers everything.

Jul 16, 20266 min read
Application Security

Integrating C/C++ security scanning into CI pipelines

Roughly 70% of CVEs Microsoft assigns each year are memory-safety bugs. Here's how to catch them in C/C++ CI pipelines before they ship.

Jul 13, 20267 min read
Application Security

Python linting for security hygiene: what flake8, pylint, and bandit actually catch

Bandit maps findings to CWE IDs like CWE-502 and CWE-78, but flake8 and pylint never look for a vulnerability at all — the three tools solve different problems.

Jul 12, 20266 min read
Application Security

Modern C++ security: smart pointers, bounds checking, and static analysis

Microsoft has said for years that ~70% of the CVEs it patches trace to memory-safety bugs — here's how modern C++ actually closes that gap.

Jul 11, 20266 min read
Application Security

How modern SAST engines model data flow and taint tracking

Linters flag every eval() call; SAST tools flag the two an attacker can reach. Here's how taint tracking works, and what it costs in precision and compute.

Jul 11, 20266 min read
Application Security

Symbolic Reasoning vs. LLMs: Which Static Analysis Actually Finds Bugs?

The CASTLE benchmark tested 13 static analyzers and 10 LLMs on 250 programs — neither approach won outright, and the reasons why matter for your AppSec stack.

Jul 10, 20266 min read
Buyer's Guides

Static vs Dynamic Code Analysis: An Honest 2026 Comparison

SAST vs DAST vs IAST in 2026 — what each finds, what each misses, the real tools, how reachability bridges them, and where Safeguard fits — explained without hype.

Jul 8, 20266 min read
Application Security

AI code review: what it actually catches versus misses

GitClear's 211M-line study found copy-pasted code rose from 8.3% to 12.3% of changes from 2020 to 2024 — even as AI reviewers flag more comments, the defects that matter most still slip through.

Jul 8, 20266 min read
Application Security

How AI-powered SAST auto-fix engines actually work

GitHub says Copilot Autofix resolves two-thirds of flagged vulnerabilities with little editing; Snyk claims 80% fix accuracy. Here's the pipeline behind both numbers.

Jul 8, 20268 min read
Application Security

Memory-Safety Vulnerabilities in C/C++: What Static and Dynamic Analysis Actually Catch

Roughly 70% of the CVEs Microsoft and Google's Chrome team assign each year trace to memory-unsafe C/C++ code — how static analysis, sanitizers, and fuzzers each catch a different slice of it.

Jul 8, 20267 min read
static-analysis — Safeguard Blog