How do you actually prioritize SCA findings without burning out your dev team?

[Rebeca]

We’ve been running SCA tools for months now, and the vulnerability reports are overwhelming. Hundreds of transitive dependencies flagged, some critical, some cosmetic. My security team wants everything fixed immediately. My developers say half of these aren’t even reachable in production and ask me to prove exploitability before they’ll touch anything. I get both sides. Security wants to reduce risk, devs want to ship features. But the current workflow is broken. We’re spending more time triaging false positives and debating severity scores than actually fixing real issues. A few specific questions for those who’ve been doing this for a while: Do you rely on reachability data from tools like Snyk or Endor Labs? Or is that still too immature to trust? How do you handle transitive dependencies with no direct fix available? Do you override versions, patch yourself, or just accept the risk and document it? What’s your threshold for auto-blocking PRs? Critical + reachable? Or do you block on any CVSS above 7.0 regardless of context? For teams using ephemeral environments (containers, serverless), how often do you rescan? Every build? Weekly? Any tips for convincing leadership that some vulnerabilities are “vulnerabilities” in name only — like dev dependencies or test utilities that never touch production data? We’re a mid-sized SaaS company with about 25 microservices. Right now we’re drowning in Jira tickets. Would love to hear what actually works at scale.

[Author]

Posts