Safeguard
Tag

static-analysis

Safeguard articles tagged "static-analysis" — guides, analysis, and best practices for software supply chain and application security.

106 articles

Application Security

C/C++ security in automotive software-defined vehicles

MISRA C:2025 now spans roughly 225 guidelines and explicitly covers AI-generated code — but memory-safety bugs still drive roughly 70% of the vulnerabilities patched in major C/C++ codebases.

Jul 8, 20267 min read
Application Security

Bytecode vs. source analysis: static analysis techniques for Java and Kotlin

SpotBugs scans compiled .class files for 400+ bug patterns; Semgrep parses source directly. Neither alone would have caught CVE-2015-7501 fast enough.

Jul 8, 20265 min read
Best Practices

Defensive Java: coding patterns that stop NullPointerExceptions from becoming outages

NPE has been Java's most common runtime exception since JDK 1.0 in 1996 — Optional, JSpecify annotations, and static analysis can turn most of them into compile-time errors.

Jul 8, 20267 min read
AI Security

Why static scanners miss malicious AI agent skills

In April 2025, Invariant Labs showed a malicious MCP tool description could exfiltrate an SSH key — with zero suspicious code for a static scanner to flag.

Jul 8, 20266 min read
Application Security

PHPStan vs. Psalm: setting up PHP static analysis to catch security bugs pre-commit

Psalm ships free taint analysis out of the box; PHPStan doesn't track data flow at all without extensions. Here's how to wire either one into pre-commit.

Jul 8, 20266 min read
Application Security

A vendor-neutral framework for evaluating SAST tools

OWASP's Benchmark suite has run 2,740 fixed Java test cases since 2016, yet most SAST comparisons still amount to a vendor's self-reported false-positive number.

Jul 8, 20266 min read
Security Guides

The gosec Static Analysis Guide: Rules, CI, and Taming False Positives

gosec catches hardcoded secrets, weak crypto, unsafe SQL, and command injection in Go — but only if you run it well and triage it honestly. A practical guide to the rules that matter and the noise that doesn't.

Jul 7, 20266 min read
Buyer's Guides

Source Code Analysis Explained: A Practical 2026 Guide

What source code analysis actually is in 2026 — the categories, the real tools, how it relates to SCA and reachability, and where Safeguard fits — explained honestly and without hype.

Jul 7, 20267 min read
Application Security

Can an LLM find the same bug twice? What repeatability benchmarking reveals

In a 300-run benchmark, the best LLM scanner hit 75.4% F1 while a deterministic SAST baseline hit 100% — but the real story is in what varies between runs.

Jul 7, 20266 min read
Buyer's Guides

PHP Code Review Tools: An Honest 2026 Buyer's Guide

A balanced 2026 comparison of PHP code review and static-analysis tools — PHPStan, Psalm, PHP_CodeSniffer, progpilot, Semgrep, SonarQube — with honest tradeoffs and where Safeguard fits.

Jul 5, 20266 min read
Buyer's Guides

Go Code Review Tools: An Honest 2026 Buyer's Guide

A balanced 2026 comparison of Go code review and static-analysis tools — go vet, staticcheck, golangci-lint, gosec, govulncheck, Semgrep, CodeQL — with honest tradeoffs and where Safeguard fits.

Jul 4, 20266 min read
Buyer's Guides

JavaScript & TypeScript Code Review Tools: An Honest 2026 Guide

A balanced 2026 comparison of JavaScript and TypeScript code review tools — ESLint, Biome, Semgrep, CodeQL, SonarQube, Snyk Code — with honest tradeoffs and where Safeguard fits.

Jul 3, 20266 min read
static-analysis (Page 2) — Safeguard Blog