Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
CVSS by itself produces a queue ordered by hypothetical severity. Reachability orders by actual exposure. Mixing the two correctly is where mature programs land.
Next-gen SCA tools moved past package-tree scanning to reachability, runtime context, and exploit signal. Here's what actually changed and why it matters.
An auditor asks why you didn't fix CVE-X. The defensible answer involves reachability evidence. Without it, the conversation gets uncomfortable.
Pure-LLM vulnerability scanners hit production around 2024. By 2026 their failure modes are documented. Reachability remains the backbone — and the LLM is most useful on top of it.
Reachability across a monorepo or a microservices fleet needs different engineering than reachability inside a single service. Both are tractable; both have specific failure modes.
Ruby reachability under metaprogramming, Rails autoloading, and Bundler groups. What bundler-audit and modern tools handle, and where they punt to over-approximation.
An SBOM is a list. A reachability-prioritised SBOM is a triage queue. The difference determines whether the SBOM produces value or sits unread.
Most scanners stop at five or six levels of transitive depth. Real production graphs run sixty levels deep, and the most interesting vulnerabilities live in the long tail.
EU CRA enforcement asks vendors and operators to demonstrate due diligence on software components. Reachability is the evidence that makes the demonstration honest.
Weekly insights on software supply chain security, delivered to your inbox.