SDLC Gate Harnesses

Module S08 · Course 2A

75 min · Control Plane Shift · Multi-Scanner Orchestration · Trend + Risk · Vuln Triage at Scale

Prerequisite: S00–S07

S08.1 — The Control Plane Shift

Traditional SDLC: scan after commit, review findings days later. A leaked secret is in git history before anyone sees the report.

The review-time model assumes a slow, human-paced pipeline. That assumption is now false.

The AI coding agent problem

Agents create code, dependencies, workflows, and infra in seconds — faster than review-time checks can process.

An agent introduces a vulnerable dependency, an over-broad IAM role, an unauthed endpoint — all in one session. Overnight scan = structurally too slow.

Creation-time guardrails

Review-time (old)Creation-time (new)
WhenPost-commit, nightlyPre-commit, pre-merge, in-IDE
LatencyHours to daysSeconds
ActionReport to dashboardBlock, inline

Not "shift left" as a slogan. A structural change to where the gate lives.

Hard gate vs soft gate

FindingGate
Secrets (validated)HARD BLOCK
SAST critical (high conf)HARD BLOCK
SCA: CISA KEV or EPSS > 0.7HARD BLOCK
IaC: public exposureHARD BLOCK
SAST medium/lowSOFT WARN
SCA low EPSS, fix availableSOFT WARN

Over-blocking → developers override without reading. Block the immediately dangerous; warn the rest.

S08.2 — Multi-Scanner Orchestration

SAST
Semgrep, CodeQL (~90s)
SCA
Snyk, DepCheck (~30s)
Secrets
Gitleaks, Truffle (~10s)
IaC
Checkov, OPA (~15s)

Parallel: bounded by slowest (~90s). Sequential: sum (~145s). The difference is usable guardrail vs disabled guardrail.

Aggregation + dedup

Each scanner has its own format + severity scale. Normalize to a unified schema. Dedup across scanners via dedup_key.

Semgrep + CodeQL flag the same SQLi → one finding. Snyk + DepCheck report the same CVE → one finding. Duplicate findings erode trust — developer assumes the bot is broken.

Cross-scanner triage (LLM)

SCA finding (vulnerable lib) is only real if the vulnerable path is reachable — which SAST can determine. IaC finding (public bucket) is only an exposure if it holds sensitive data.

LLM correlates related findings across scanners: upgrade severity (reachable vuln), downgrade (no sensitive data). Insight no single scanner produces. Token-budgeted: high-severity first.

S08.3 — Trend Analysis + Risk Scoring

A single build is a snapshot. Trend: is the codebase getting safer or riskier? Direction matters more than absolute count.

Risk score per PR

0 – 100

ScoreGate
< 30Pass
30–60Requires security reviewer approval
> 60Blocked until findings resolved

Computed: severity-weighted new findings (crit=25, high=10, med=3, low=1) × trend modifier (rising ×1.2). Auditable, not a gut call. Net direction: +5 crit but fixed 7 = net positive.

Per-author attribution

For coaching, not punishment. An author with many SAST findings needs a 30-min session on common patterns.

Guardrail: visible to author + lead only. Feeds coaching conversations, never performance reviews. Misuse as punishment destroys psychological safety → developers disengage from the gate.

S08.4 — Vulnerability Triage at Scale

Hundreds of dependencies × CVE history = hundreds of findings. Raw and untriaged, the list is overwhelming.

EPSS inverts CVSS-only prioritization

CVSS 9.8, EPSS 0.01
High impact, almost never exploited → low urgency
CVSS 7.5, EPSS 0.8
Likely being exploited now → high urgency

CVSS = impact if exploited. EPSS = probability of exploitation in 30 days. CISA KEV = confirmed active exploitation → fix in hours.

The prioritized queue

CISA KEV → fix in HOURS
EPSS > 0.7 + reachable → fix in DAYS
EPSS > 0.7, not confirmed → verify reachability, then fix
High CVSS, low EPSS → backlog
Low CVSS, low EPSS → accept risk / batch-fix

Hundreds of raw CVEs → three things to fix this week.

What you take into S09

The SDLC gate harness is operational: creation-time guardrails, multi-scanner orchestration, trend + risk scoring, vulnerability triage at scale.

S09 shifts to cloud security harnesses: continuous posture, drift detection, and remediation across CSPM, CWPP, and CIEM in live cloud environments.