DUBLIN, Calif. — July 5, 2026 — Safeguard today introduced first-party application security testing — static analysis of source code (SAST) and dynamic testing of running applications (DAST) — extending its software supply chain security platform so that code-level and runtime findings share a single, unified model alongside the company's existing SCA, secrets, container, and infrastructure-as-code scanning.
Unlike stacks assembled from separate SAST, DAST, and SCA tools that each report in their own format, Safeguard's engines emit one unified finding — the same severity scale, status lifecycle, and tenant and organization scoping across every source. The result is a single review queue, one policy language for enforcement, and a single API surface for all of application security.
The platform correlates findings across engines. When a DAST-confirmed runtime issue maps to the specific SAST source-code sink that produced it, the two are linked and prioritized together, so an issue that is both reachable in code and confirmed at runtime is surfaced ahead of a static match that cannot be triggered.
SAST traces untrusted input from source to sink across functions and files and returns the full dataflow path with CWE and OWASP mapping; it can run on a local runner so source code never leaves the customer's perimeter. Initial language coverage is JavaScript/TypeScript, Python, and Java, with additional languages planned.
Safeguard DAST is a defensive, authorized-testing capability. Active checks run only against targets whose ownership has been verified, every request is checked against an allow-listed scope, per-target rate limits are mandatory, payloads are non-destructive by default, and every request and finding change is recorded in a tenant-scoped audit trail.
"Code security and runtime security have lived in separate tools for too long, and the gap between them is exactly where real risk hides," said Hritik Kumar Sharma, Founder and CEO of Safeguard. "By making SAST and DAST first-party engines that share one findings model, a vulnerability we see in the source and confirm at runtime becomes a single, prioritized, provable finding — not two disconnected alerts a team has to reconcile by hand."
Application security testing is being rolled out in stages; the platform integration, unified findings model, and DAST safety controls are available first, with detection depth expanding over subsequent releases. Customers can add SAST and DAST through the same integration flow used for repositories and registries, and the capability runs on-premises and in air-gapped environments consistent with the rest of the platform.
About Safeguard
Safeguard is the software supply chain security platform that fuses multiple scanners, a security-only AI model lineup (Griffin · Eagle · Lion), and reachability-aware reasoning to find what pattern scanners miss — from CVEs to candidate zero-days — and to ship the fix with cited reasoning. Learn more at https://safeguard.sh.