static-analysis
Safeguard articles tagged "static-analysis" — guides, analysis, and best practices for software supply chain and application security.
106 articles
SpotBugs Security Detectors for Java: A Practical Guide
SpotBugs with Find Security Bugs is the most effective free security analysis tool for Java. Here is how to get real results from it.
Swift Security Analysis Tools: The Current Landscape
Swift's type safety helps, but it does not eliminate all security bugs. Here is the current tooling landscape for finding vulnerabilities in Swift code.
gosec: Static Analysis for Go Security
gosec is the standard security linter for Go. Here is what it catches, what it misses, and how to integrate it effectively into your workflow.
PHPStan Security Analysis: Static Typing as a Security Tool for PHP
PHPStan brings static analysis to PHP. Its type checking catches entire classes of bugs that lead to security vulnerabilities in PHP applications.
Runtime vs Static Container Analysis: Complementary, Not Competing
Static scanning finds known vulnerabilities. Runtime analysis finds actual exploitation. Using only one gives you half the picture.
Taming Static Analysis: A Practical Guide to False Positive Reduction
False positives kill SAST adoption faster than anything else. Here is how to cut through the noise without missing real vulnerabilities.
Bandit for Python Security Linting: Getting Real Value From Static Analysis
Bandit scans Python code for security issues. Here is how to configure it so it catches real bugs without burying your team in false positives.
GoSec Static Analysis for Go: Practical Security Scanning
GoSec finds security issues in Go source code. Here is how to get the most out of it without fighting false positives all day.
Clippy Rust Security Lints: Catching What the Borrow Checker Misses
Rust's compiler catches memory safety bugs. Clippy catches everything else -- including security anti-patterns the borrow checker does not care about.
ESLint Security Rules Configuration: A Practical Guide
ESLint can catch security issues before they reach production. Here is how to configure security-focused rules that actually help without drowning you in noise.