75 min · Control Plane Shift · Multi-Scanner Orchestration · Trend + Risk · Vuln Triage at Scale
Prerequisite: S00–S07
Traditional SDLC: scan after commit, review findings days later. A leaked secret is in git history before anyone sees the report.
The review-time model assumes a slow, human-paced pipeline. That assumption is now false.
Agents create code, dependencies, workflows, and infra in seconds — faster than review-time checks can process.
An agent introduces a vulnerable dependency, an over-broad IAM role, an unauthed endpoint — all in one session. Overnight scan = structurally too slow.
| Review-time (old) | Creation-time (new) | |
|---|---|---|
| When | Post-commit, nightly | Pre-commit, pre-merge, in-IDE |
| Latency | Hours to days | Seconds |
| Action | Report to dashboard | Block, inline |
Not "shift left" as a slogan. A structural change to where the gate lives.
| Finding | Gate |
|---|---|
| Secrets (validated) | HARD BLOCK |
| SAST critical (high conf) | HARD BLOCK |
| SCA: CISA KEV or EPSS > 0.7 | HARD BLOCK |
| IaC: public exposure | HARD BLOCK |
| SAST medium/low | SOFT WARN |
| SCA low EPSS, fix available | SOFT WARN |
Over-blocking → developers override without reading. Block the immediately dangerous; warn the rest.
Parallel: bounded by slowest (~90s). Sequential: sum (~145s). The difference is usable guardrail vs disabled guardrail.
Each scanner has its own format + severity scale. Normalize to a unified schema. Dedup across scanners via dedup_key.
Semgrep + CodeQL flag the same SQLi → one finding. Snyk + DepCheck report the same CVE → one finding. Duplicate findings erode trust — developer assumes the bot is broken.
SCA finding (vulnerable lib) is only real if the vulnerable path is reachable — which SAST can determine. IaC finding (public bucket) is only an exposure if it holds sensitive data.
LLM correlates related findings across scanners: upgrade severity (reachable vuln), downgrade (no sensitive data). Insight no single scanner produces. Token-budgeted: high-severity first.
A single build is a snapshot. Trend: is the codebase getting safer or riskier? Direction matters more than absolute count.
0 – 100
| Score | Gate |
|---|---|
| < 30 | Pass |
| 30–60 | Requires security reviewer approval |
| > 60 | Blocked until findings resolved |
Computed: severity-weighted new findings (crit=25, high=10, med=3, low=1) × trend modifier (rising ×1.2). Auditable, not a gut call. Net direction: +5 crit but fixed 7 = net positive.
For coaching, not punishment. An author with many SAST findings needs a 30-min session on common patterns.
Guardrail: visible to author + lead only. Feeds coaching conversations, never performance reviews. Misuse as punishment destroys psychological safety → developers disengage from the gate.
Hundreds of dependencies × CVE history = hundreds of findings. Raw and untriaged, the list is overwhelming.
CVSS = impact if exploited. EPSS = probability of exploitation in 30 days. CISA KEV = confirmed active exploitation → fix in hours.
Hundreds of raw CVEs → three things to fix this week.
The SDLC gate harness is operational: creation-time guardrails, multi-scanner orchestration, trend + risk scoring, vulnerability triage at scale.
S09 shifts to cloud security harnesses: continuous posture, drift detection, and remediation across CSPM, CWPP, and CIEM in live cloud environments.