SAST / DAST present.

None

One tool, partial coverage

Both static and dynamic application security testing in place, tuned, with agent-actionable findings. All finding suppressions and rule disables carry a documented rationale and a named reviewer, stored in version control alongside the code they cover; suppressions of high-severity findings additionally carry an expiry date for mandatory re-review. Suppressions without documentation block merge

Findings triaged by past resolution patterns; recurring vulnerability classes auto-generate prevention tasks. Stale or expired suppressions auto-flagged for review; recurring suppression patterns generate hardening tasks rather than additional waivers; suppression rate tracked and trends toward zero