vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
How Snyk's GitLab CI/CD template integrates security gate...
A technical look at how Snyk's GitLab CI/CD template authenticates, scans, and uses severity thresholds to block merge requests with known vulnerabilities.
How Snyk integrates with Jenkins to fail builds on new vu...
A mechanical look at how the Snyk Jenkins plugin scans manifests, applies severity thresholds, and turns newly disclosed vulnerabilities into failed builds.
How Snyk's --project-tags and business-criticality flags ...
How Snyk CLI's --project-tags and --project-business-criticality flags attach business context to scans, and why that context can drift out of date.
Nginx 1.18.0 Vulnerabilities: Audit and Upgrade Path
Nginx 1.18.0 left support in 2021, but not every scanner hit is exploitable — and many distro builds are already patched. How to audit what you actually run and get onto a supported line.
The Real Cost of Delayed Patching in Open Source Components
Patches for open source flaws often exist for months before teams apply them. Here is what that patch lag actually costs in breaches, cleanup, and trust.
How Dependency Graphs Reveal Hidden Supply Chain Risk
Dependency graph analysis reveals which transitive packages can actually reach your code. From Log4Shell to the xz backdoor, see why flat scans miss what graphs catch.
Why 'Time to Fix' Is a Better Supply Chain Metric Than Vu...
Vulnerability counts measure how hard you're looking, not how exposed you are. Here's why mean time to remediate is the metric that actually predicts breach risk.
Monorepo vs Polyrepo: How Architecture Choices Shape Supp...
Monorepos and polyrepos don't just shape build times — they shape blast radius, patch speed, and dependency visibility. Here's how each affects supply chain risk.
The Economics of Free Riding in Open Source Security
Open source runs on unpaid labor while billion-dollar companies use it for free. Here's the economics behind Log4Shell, xz-utils, and the free rider problem.
Why Vulnerability Disclosure Timelines Still Vary Wildly ...
Google gives vendors 90 days, ZDI gives 120, the EU wants 24 hours, and Linux had no CVE process until 2024. Here's why disclosure timelines diverge so sharply across ecosystems.
From Log4Shell to Now: What Changed and What Didn't in Su...
Three years after Log4Shell, Log4j is still found in production systems. Here is what the industry fixed, what it didn't, and why the risk persists.
Do Bug Bounties Actually Reduce Open Source Risk? An Inde...
Bug bounties didn't catch Log4Shell or the XZ Utils backdoor. An independent look at what OSS bounty programs actually cover — and where they structurally fall short.