vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
How Snyk Container maps vulnerabilities to specific image...
How Snyk Container uses OCI manifest metadata, diff_ids, and Dockerfile history to trace a vulnerable package to the exact layer and build instruction that introduced it.
How Snyk Container's Base Image filter isolates OS-level ...
How Snyk Container's Base Image filter separates OS-level vulnerabilities from application dependencies, how it identifies base images, and where attribution breaks down.
How Snyk Container integrates with Kubernetes workloads f...
How Snyk Container's Kubernetes integration uses a read-only controller to continuously re-check running workload images as new CVEs are disclosed.
How Snyk Container prioritizes OS package vulnerabilities...
A technical look at how Snyk Container ranks OS package vulnerabilities using exploit maturity signals, CVSS, and EPSS instead of severity alone.
How Snyk Container's automatic base image remediation PRs...
How Snyk Container's automatic base image remediation PRs pick replacement tags, what triggers them, and what they actually change in a Dockerfile.
How Snyk Container's exclude and allow policies reduce no...
Snyk Container's exclude and allow policies scope ignore rules to specific paths and layers, filtering base-image noise without hiding real application risk.
Why Snyk's vulnerability database often reports issues be...
NVD's CVE enrichment pipeline has a well-documented backlog since 2024. Here's the mechanical reason Snyk's database often shows vulnerabilities weeks earlier.
How Snyk's Fix PRs mechanically differ from Upgrade PRs a...
Snyk's Upgrade, Fix, and Backlog PRs aren't interchangeable — each changes different files and carries different CI risk. Here's the mechanical breakdown.
How snyk monitor creates and tracks a point-in-time proje...
A technical walkthrough of how `snyk monitor` builds a dependency snapshot, stores it as a Project, and re-checks it against new CVEs after the fact.
How Snyk Open Source's PR checks block merges based on se...
A technical look at how Snyk Open Source's PR checks scan pull requests, compare severity to configured thresholds, and gate merges in CI/CD.
How Snyk calculates direct versus transitive dependency v...
Snyk splits vulnerability exposure into direct and transitive dependencies using lockfile graphs, CVE version-range matching, and path-level reachability analysis.
How the Snyk Priority Score algorithm blends CVSS, exploi...
How Snyk's Priority Score blends CVSS severity, exploit maturity, and reachability analysis into a single 1-1000 vulnerability ranking score.