vulnerability-scanning
Safeguard articles tagged "vulnerability-scanning" — guides, analysis, and best practices for software supply chain and application security.
82 articles
Docker image vulnerability scanning: best practices for CI/CD
Log4Shell hid in countless container images for years before scanning caught it. Here's how to scan base layers and gate builds before that happens again.
SAST vs SCA: What's the Difference? (Beginner's Guide)
SAST reads the code your team wrote, looking for insecure patterns. SCA inspects the open-source code you borrowed, looking for known vulnerabilities. One checks your writing; the other checks your ingredients.
Automating container image vulnerability scans in GitHub Actions
A fail-the-build scanning pipeline is a few YAML lines away — but pin the Action wrong and you inherit its supply chain risk too.
Open-source penetration testing tools: a comparison guide
Nine open-source pentest tools, one decision problem: Nmap finds hosts, Metasploit exploits them, but neither replaces the other. Here's when to reach for each.
Agent-Based vs Agentless Scanning: What's the Difference?
Agent-based scanning installs software on each system to watch it from the inside. Agentless scanning inspects from the outside with no installation. One sees deeper; the other deploys faster.
Can an LLM find the same bug twice? What repeatability benchmarking reveals
In a 300-run benchmark, the best LLM scanner hit 75.4% F1 while a deterministic SAST baseline hit 100% — but the real story is in what varies between runs.
False Positives vs False Negatives: What's the Difference?
A false positive flags something safe as dangerous. A false negative misses something dangerous entirely. One wastes your time; the other gets you breached.
.NET Dependency Vulnerability Scanning: A Practical Guide
How to scan .NET dependencies for known vulnerabilities using dotnet list package, NuGet audit, and reachability-aware SCA, and how to wire it into CI so nothing ships with a known critical.
The Go Vulnerability Scanning Guide: govulncheck, Reachability, and CI
Most scanners tell you a CVE exists somewhere in go.sum. govulncheck tells you whether your code can actually reach it. Here's how Go's reachability-based scanning works and how to run it well.
Introduction to Vulnerability Scanning
Vulnerability scanning is how teams find known weaknesses before attackers do. This guide explains what a scanner actually does, the main types, how a scan works end to end, and how to turn a wall of findings into a short list of things worth fixing.
Scanning Docker Images in CI/CD Pipelines
Scanning a container after it deploys is an incident report. Scanning it in the pipeline is a one-line diff. Here is how to gate builds on image scans without drowning developers in false positives.
Best Vulnerability Scanners in 2026: A Buyer's Guide
A balanced guide to the best vulnerability scanners in 2026 across network, cloud, container, and software layers — Tenable, Qualys, Rapid7, Wiz, Trivy, and Snyk — with honest tradeoffs and where Safeguard fits for software and supply-chain scanning.