Safeguard
Tag

vulnerability-scanning

Safeguard articles tagged "vulnerability-scanning" — guides, analysis, and best practices for software supply chain and application security.

82 articles

Container Security

Docker image vulnerability scanning: best practices for CI/CD

Log4Shell hid in countless container images for years before scanning caught it. Here's how to scan base layers and gate builds before that happens again.

Jul 13, 20267 min read
Concepts

SAST vs SCA: What's the Difference? (Beginner's Guide)

SAST reads the code your team wrote, looking for insecure patterns. SCA inspects the open-source code you borrowed, looking for known vulnerabilities. One checks your writing; the other checks your ingredients.

Jul 8, 20267 min read
Container Security

Automating container image vulnerability scans in GitHub Actions

A fail-the-build scanning pipeline is a few YAML lines away — but pin the Action wrong and you inherit its supply chain risk too.

Jul 8, 20266 min read
Best Practices

Open-source penetration testing tools: a comparison guide

Nine open-source pentest tools, one decision problem: Nmap finds hosts, Metasploit exploits them, but neither replaces the other. Here's when to reach for each.

Jul 8, 20267 min read
Concepts

Agent-Based vs Agentless Scanning: What's the Difference?

Agent-based scanning installs software on each system to watch it from the inside. Agentless scanning inspects from the outside with no installation. One sees deeper; the other deploys faster.

Jul 7, 20266 min read
Application Security

Can an LLM find the same bug twice? What repeatability benchmarking reveals

In a 300-run benchmark, the best LLM scanner hit 75.4% F1 while a deterministic SAST baseline hit 100% — but the real story is in what varies between runs.

Jul 7, 20266 min read
Concepts

False Positives vs False Negatives: What's the Difference?

A false positive flags something safe as dangerous. A false negative misses something dangerous entirely. One wastes your time; the other gets you breached.

Jul 5, 20266 min read
Security Guides

.NET Dependency Vulnerability Scanning: A Practical Guide

How to scan .NET dependencies for known vulnerabilities using dotnet list package, NuGet audit, and reachability-aware SCA, and how to wire it into CI so nothing ships with a known critical.

Jul 4, 20265 min read
Security Guides

The Go Vulnerability Scanning Guide: govulncheck, Reachability, and CI

Most scanners tell you a CVE exists somewhere in go.sum. govulncheck tells you whether your code can actually reach it. Here's how Go's reachability-based scanning works and how to run it well.

Jul 4, 20266 min read
Concepts

Introduction to Vulnerability Scanning

Vulnerability scanning is how teams find known weaknesses before attackers do. This guide explains what a scanner actually does, the main types, how a scan works end to end, and how to turn a wall of findings into a short list of things worth fixing.

Jul 4, 20266 min read
Container Security

Scanning Docker Images in CI/CD Pipelines

Scanning a container after it deploys is an incident report. Scanning it in the pipeline is a one-line diff. Here is how to gate builds on image scans without drowning developers in false positives.

Jul 4, 20265 min read
Buyer's Guides

Best Vulnerability Scanners in 2026: A Buyer's Guide

A balanced guide to the best vulnerability scanners in 2026 across network, cloud, container, and software layers — Tenable, Qualys, Rapid7, Wiz, Trivy, and Snyk — with honest tradeoffs and where Safeguard fits for software and supply-chain scanning.

Jul 2, 20266 min read
vulnerability-scanning — Safeguard Blog