vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
GitHub dependency graph and dependency review explained
How GitHub Dependency Graph and Dependency Review actually work, what GitHub Advanced Security adds on top, and where the coverage gaps are for teams relying on manifest-only scanning.
SBOM export in GitHub: generating a software bill of mate...
GitHub lets you export an SPDX SBOM in two clicks, but the file only reflects what its dependency graph can see. Here's what's missing and how Safeguard fills it.
10 Docker image security best practices
Ten concrete Docker image security practices — minimal base images, secret handling, reachability-based scanning, non-root runtimes, and SBOMs — with real CVEs and data.
Choosing secure base images for containers
Base image choice drives most of your container's attack surface. Here's what secure Docker base images actually require, with concrete CVE data.
Distroless container images explained
Distroless images cut container size by up to 90% and eliminate OS-level CVEs, but they don't secure app dependencies. Here's how they work and where they fall short.
Alpine vs distroless: which base image is more secure
Alpine and distroless both shrink attack surface differently. We compare real CVEs, musl risks, and patch tradeoffs to settle which base image actually wins.
Scanning container images in CI/CD pipelines
Where to put container image scanning in your CI/CD pipeline, what it actually catches, and how to stop CVE floods from blocking every build.
How AppSec teams cut false-positive triage time
AppSec teams drown in false positives. See how Safeguard's supply-chain-native triage compares to Checkmarx's SAST-driven approach on reachability, context, and workflow fit.
HIPAA requirements and application security
HIPAA's Security Rule ties ePHI protection to application security, but scanner tools like Checkmarx rarely map findings to 45 CFR safeguards. Here's what compliance teams actually need.
Container security throughout the SDLC
A clean build-time scan doesn't mean a secure container. Here's why container security has to span code, build, deploy, and runtime — with real CVE examples.
OCI image vulnerability scanning explained
A concrete breakdown of how OCI image vulnerability scanning works, where scanners miss real risk, and how to build a scan workflow that doesn't drown teams in noise.
Application Security: The Complete Guide
What is application security? A concrete guide covering AppSec fundamentals, OWASP Top 10 risks, supply chain threats, and how Safeguard fills the gaps legacy tools like Veracode leave open.