static-analysis
Safeguard articles tagged "static-analysis" — guides, analysis, and best practices for software supply chain and application security.
106 articles
How Snyk Code's confidence scoring separates high-confide...
How Snyk Code's confidence scoring works under the hood, and why "high confidence" and "severity" are not the same axis for triage.
How Snyk Code analyzes API usage patterns to catch insecu...
A technical look at how Snyk Code's symbolic engine and taint tracking flag insecure API calls like weak crypto, XXE, and SSRF before code ships.
How Snyk Code detects path traversal vulnerabilities thro...
How Snyk Code uses interprocedural data-flow tracing—not regex matching—to catch path traversal (CWE-22) by connecting tainted sources to file-system sinks.
How Snyk Code's duplicate and similar-code detection supp...
Snyk Code once shipped duplicate and similar-code detection under its Code Quality rules. Here's how it worked, and what its 2025 retirement means for teams.
How Snyk Container's static filesystem analysis avoids th...
How Snyk Container inspects image layers, package databases, and lockfiles without ever running the container — and where static filesystem analysis hits its limits.
How Snyk IaC's static analysis engine parses Terraform HC...
A technical walkthrough of how Snyk IaC parses Terraform HCL into JSON, evaluates it with OPA/Rego policies, and maps violations back to source lines.
A Checkmarx Scan: What It Actually Analyzes
A breakdown of what a Checkmarx scan actually analyzes under the hood, what its static analysis engine catches well, and where teams typically add another tool alongside it.
Why Scanning AI-Generated Code Requires Different Heurist...
AI coding assistants write fast but fail differently than humans do. Learn why scanning AI-generated code needs new heuristics for hallucinated dependencies.
Reachability Analysis in 2025: Separating Exploitable Vulnerabilities from Noise
Reachability analysis determines whether a vulnerable function is actually called by your application. The technology has matured from research concept to production tool. Here is how it works and where it falls short.
Why Traditional SAST Tools Struggle to Analyze Agentic Co...
Agentic codebases build call graphs at runtime, defeating static analysis. Here's why SAST tools miss prompt injection and tool-schema risks—and how Safeguard closes the gap.
What Is Checkmarx? A Plain-English Overview
Checkmarx is one of the oldest names in static analysis, built for large enterprises with dedicated security teams. Here's what it actually does and how it stacks up.
Open Source SAST Tools Worth Evaluating
A rundown of the open source SAST tools engineering teams actually use in production, and where each one runs out of road.