Writing on SCA, call graph analysis, false positives, and the practical reality of integrating security into CI/CD pipelines that ship 50+ times a day. Authored by Derek Voss.
Every package in your lockfile is a potential supply chain entry point. Understanding how attackers think about your dependency graph is the first step to defending it.
Running security checks earlier in the pipeline is necessary — but if you're still surfacing 95% false positives, you've just moved the noise earlier.
Calling it DevSecOps doesn't make security part of the culture. The organizations that actually embed security into their development workflow share a few specific practices.
The average engineering org runs 7-10 security scanning tools. Each one has its own dashboard, alert format, and integration burden. At some point the tooling becomes the problem.
Three priorities keep coming up: developer experience, pipeline performance, and false-positive reduction.
Log4Shell sent the industry into a mass patching frenzy. In retrospect, most affected applications had log4j in the tree but no reachable path to JNDI lookup.
Vulnerable and Outdated Components (A06) is on the OWASP Top 10 for a reason. But the compliance checkbox approach to fixing it creates as many problems as it solves.
You added 5 direct dependencies. Your lockfile has 1,200 packages. Most CVEs in your dependency tree are 3-4 levels deep in transitive imports you never consciously chose.
The goal isn't to block PRs. It's to surface exactly the information a developer needs to make a good security decision — at the moment they're already looking at the change.
Engineering orgs shipping 50+ deploys per day need security tooling that matches their velocity. Batch-scan approaches built for weekly release cycles don't cut it.
Call graph analysis sounds complex but the core idea is simple: follow the path from your code to the vulnerable function. Here's how it works in practice.
When your security scanner cries wolf 50 times a day, developers start ignoring the alerts entirely. That's when the real vulnerabilities slip through.
Advisory-only SCA tools match CVE databases against your lockfile. That's necessary but not sufficient. Here's what you're missing when you stop there.
