Recently I have observed more development teams using AI coding assistants like Claude Code directly in their CI/CD pipelines. While the productivity gains can be impressive, this trend is raising serious security concerns that every organization should understand.
You’ve done the hard work. Your team created a comprehensive threat model, identified risks, and handed recommendations to the development team. But here’s the million-dollar question: How do you know they actually implemented the security controls?
If you’re like most security teams, you’re probably hoping developers added the right code comments, wrote proper tests, and followed all your recommendations. But let’s be honest – that’s not always realistic.
Here’s how to independently verify that your threat model recommendations actually made it into production.
With all the fancy security tools available today, you might wonder: should we still bother training developers on security? Or can we just rely on automated systems to catch all the problems?
The short answer: You need both.
Dependabot gets a lot of criticism as an SCA tool, and much of it is justified. While GitHub markets it as a security solution, it lacks core capabilities that development teams need for managing supply chain risks.
Most teams waste time reviewing dependency update pull requests. Engineers spend hours each week checking if library updates will break their code. This process slows down development and creates backlogs of security patches.
There is a better way. Teams can automatically merge dependency updates when they have the right setup.