(no title)

In addition, some vulnerabilities only appear at build time, so you would need to add in scanning during the pipeline.

It’s hard to get a full picture of the entire build process, and even still, vulns do get through, for example you forget to implement logic to prevent people from seeing the administration section of your app.

Security is part machine, part human effort - hard to catch everything, on top of the millions of projects and repositories out there, not all of them on GitHub.