Safeguard
Tag

vulnerability-management

Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.

635 articles

Container Security

How Snyk Container maps vulnerabilities to specific image...

How Snyk Container uses OCI manifest metadata, diff_ids, and Dockerfile history to trace a vulnerable package to the exact layer and build instruction that introduced it.

Sep 7, 20258 min read
Container Security

How Snyk Container's Base Image filter isolates OS-level ...

How Snyk Container's Base Image filter separates OS-level vulnerabilities from application dependencies, how it identifies base images, and where attribution breaks down.

Sep 7, 20257 min read
Container Security

How Snyk Container integrates with Kubernetes workloads f...

How Snyk Container's Kubernetes integration uses a read-only controller to continuously re-check running workload images as new CVEs are disclosed.

Sep 6, 20257 min read
Open Source Security

How Snyk Container prioritizes OS package vulnerabilities...

A technical look at how Snyk Container ranks OS package vulnerabilities using exploit maturity signals, CVSS, and EPSS instead of severity alone.

Sep 5, 20258 min read
Container Security

How Snyk Container's automatic base image remediation PRs...

How Snyk Container's automatic base image remediation PRs pick replacement tags, what triggers them, and what they actually change in a Dockerfile.

Sep 4, 20256 min read
Container Security

How Snyk Container's exclude and allow policies reduce no...

Snyk Container's exclude and allow policies scope ignore rules to specific paths and layers, filtering base-image noise without hiding real application risk.

Sep 3, 20257 min read
Open Source Security

Why Snyk's vulnerability database often reports issues be...

NVD's CVE enrichment pipeline has a well-documented backlog since 2024. Here's the mechanical reason Snyk's database often shows vulnerabilities weeks earlier.

Aug 28, 20257 min read
Open Source Security

How Snyk's Fix PRs mechanically differ from Upgrade PRs a...

Snyk's Upgrade, Fix, and Backlog PRs aren't interchangeable — each changes different files and carries different CI risk. Here's the mechanical breakdown.

Aug 28, 20258 min read
Open Source Security

How snyk monitor creates and tracks a point-in-time proje...

A technical walkthrough of how `snyk monitor` builds a dependency snapshot, stores it as a Project, and re-checks it against new CVEs after the fact.

Aug 27, 20257 min read
Open Source Security

How Snyk Open Source's PR checks block merges based on se...

A technical look at how Snyk Open Source's PR checks scan pull requests, compare severity to configured thresholds, and gate merges in CI/CD.

Aug 27, 20257 min read
Open Source Security

How Snyk calculates direct versus transitive dependency v...

Snyk splits vulnerability exposure into direct and transitive dependencies using lockfile graphs, CVE version-range matching, and path-level reachability analysis.

Aug 27, 20257 min read
Open Source Security

How the Snyk Priority Score algorithm blends CVSS, exploi...

How Snyk's Priority Score blends CVSS severity, exploit maturity, and reachability analysis into a single 1-1000 vulnerability ranking score.

Aug 26, 20257 min read
vulnerability-management (Page 42) — Safeguard Blog