static-analysis
Safeguard articles tagged "static-analysis" — guides, analysis, and best practices for software supply chain and application security.
106 articles
Finding Vulnerabilities in Source Code: A Practical Method
A concrete, repeatable method for finding vulnerabilities in source code — combining static analysis, dependency scanning, and manual review without drowning your team in false positives.
Code Security Review: Manual vs Automated, and Where They Meet
Code security review works best as a combination, not a choice — here's what automated scanning catches, what still needs a human reviewer, and how to structure both.
Dataflow Analysis in Modern Codebases
Dataflow analysis is the workhorse behind most vulnerability research. Here's how it adapts to TypeScript, Rust, and the polyglot realities of modern software.
Reachability Analysis: Cutting Through Vulnerability Noise
Not every vulnerability in your dependencies is exploitable. Safeguard's reachability analysis determines whether vulnerable code paths are actually invoked in your application.
SAST Meaning and Full Form: Static Application Security Testing Explained
SAST stands for Static Application Security Testing — analyzing source code for vulnerabilities without running it. Here is what the term means, how it works, and where it fits alongside DAST and SCA.
Static Analysis False-Positive Reduction
A technique-by-technique tour of how modern static analyzers cut false positives, from CodeQL's path pruning to Infer's bi-abduction.
SAST Tool Accuracy Benchmarks 2024: What the Data Actually Shows
Static Application Security Testing tools vary dramatically in accuracy. We analyze detection rates, false positive rates, and language coverage across leading SAST tools using standardized benchmarks.
Taint Analysis for Zero-Day Discovery: A Primer
A practitioner's walk-through of taint analysis as a zero-day discovery technique, from classic Livshits and Lam foundations to modern flow-sensitive engines.
What Does SAST Stand For, Exactly?
SAST stands for static application security testing — analyzing source code for vulnerabilities without ever running the program, which is what separates it from every dynamic testing approach.
Semgrep vs CodeQL: Static Analysis for Security Teams
A deep comparison of Semgrep and CodeQL for static application security testing, covering rule writing, performance, language support, and practical deployment considerations.
SonarQube Security Scanning: Code Quality Meets Application Security
A review of SonarQube's security scanning capabilities, examining how its code quality heritage shapes its approach to vulnerability detection and taint analysis.
Kotlin detekt Security Rules: Catching Vulnerabilities in Kotlin Code
detekt is Kotlin's primary static analysis tool. Its security-relevant rules catch patterns that lead to vulnerabilities in Android and server-side Kotlin.