static-analysis
Safeguard articles tagged "static-analysis" — guides, analysis, and best practices for software supply chain and application security.
106 articles
C/C++ security in automotive software-defined vehicles
MISRA C:2025 now spans roughly 225 guidelines and explicitly covers AI-generated code — but memory-safety bugs still drive roughly 70% of the vulnerabilities patched in major C/C++ codebases.
Bytecode vs. source analysis: static analysis techniques for Java and Kotlin
SpotBugs scans compiled .class files for 400+ bug patterns; Semgrep parses source directly. Neither alone would have caught CVE-2015-7501 fast enough.
Defensive Java: coding patterns that stop NullPointerExceptions from becoming outages
NPE has been Java's most common runtime exception since JDK 1.0 in 1996 — Optional, JSpecify annotations, and static analysis can turn most of them into compile-time errors.
Why static scanners miss malicious AI agent skills
In April 2025, Invariant Labs showed a malicious MCP tool description could exfiltrate an SSH key — with zero suspicious code for a static scanner to flag.
PHPStan vs. Psalm: setting up PHP static analysis to catch security bugs pre-commit
Psalm ships free taint analysis out of the box; PHPStan doesn't track data flow at all without extensions. Here's how to wire either one into pre-commit.
A vendor-neutral framework for evaluating SAST tools
OWASP's Benchmark suite has run 2,740 fixed Java test cases since 2016, yet most SAST comparisons still amount to a vendor's self-reported false-positive number.
The gosec Static Analysis Guide: Rules, CI, and Taming False Positives
gosec catches hardcoded secrets, weak crypto, unsafe SQL, and command injection in Go — but only if you run it well and triage it honestly. A practical guide to the rules that matter and the noise that doesn't.
Source Code Analysis Explained: A Practical 2026 Guide
What source code analysis actually is in 2026 — the categories, the real tools, how it relates to SCA and reachability, and where Safeguard fits — explained honestly and without hype.
Can an LLM find the same bug twice? What repeatability benchmarking reveals
In a 300-run benchmark, the best LLM scanner hit 75.4% F1 while a deterministic SAST baseline hit 100% — but the real story is in what varies between runs.
PHP Code Review Tools: An Honest 2026 Buyer's Guide
A balanced 2026 comparison of PHP code review and static-analysis tools — PHPStan, Psalm, PHP_CodeSniffer, progpilot, Semgrep, SonarQube — with honest tradeoffs and where Safeguard fits.
Go Code Review Tools: An Honest 2026 Buyer's Guide
A balanced 2026 comparison of Go code review and static-analysis tools — go vet, staticcheck, golangci-lint, gosec, govulncheck, Semgrep, CodeQL — with honest tradeoffs and where Safeguard fits.
JavaScript & TypeScript Code Review Tools: An Honest 2026 Guide
A balanced 2026 comparison of JavaScript and TypeScript code review tools — ESLint, Biome, Semgrep, CodeQL, SonarQube, Snyk Code — with honest tradeoffs and where Safeguard fits.