A practical guide to understanding and fixing a common security scanner false alarm.

Recently I have observed more development teams using AI coding assistants like Claude Code directly in their CI/CD pipelines. While the productivity gains can be impressive, this trend is raising serious security concerns that every organization should understand.

You’ve done the hard work. Your team created a comprehensive threat model, identified risks, and handed recommendations to the development team. But here’s the million-dollar question: How do you know they actually implemented the security controls? If you’re like most security teams, you’re probably hoping developers added the right code comments, wrote proper tests, and followed all your recommendations. But let’s be honest – that’s not always realistic. Here’s how to independently verify that your threat model recommendations actually made it into production.

With all the fancy security tools available today, you might wonder: should we still bother training developers on security? Or can we just rely on automated systems to catch all the problems? The short answer: You need both.

Dependabot gets a lot of criticism as an SCA tool, and much of it is justified. While GitHub markets it as a security solution, it lacks core capabilities that development teams need for managing supply chain risks.