Q001 — Security Tool Adoption Rates in OSS CI Pipelines — Self-Audit

Contents

• Process Audit (Analytical Domains)
• Source-Back Verification

Process Audit (Analytical Domains)

Domain	Rating	Rationale
Evaluation Consistency	Pass	The CodeQL longitudinal study (high reliability academic source) and the konvu.com comparison (medium reliability vendor source) were appropriately weighted. The academic source was given more credibi
Synthesis Fairness	Concern	The synthesis appropriately identified the SAST-SCA adoption gap but may under-represent the significance of the 69.2% Dependabot figure. Dependabot's high adoption rate could be framed as evidence th

Source-Back Verification

Sources verified: 4

Discrepancies

• minor at https://arxiv.org/html/2602.14572v3
• Assessment claims: The assessment states Dependabot has 69.2% adoption 'among GitHub Actions users.'
• Source actually says: The source says Dependabot 'was found to be used in 69.2% of all workflow histories' — this refers to workflow histories in the study sample (repos with 300+ stars and commits), not all GitHub Actions users.

← Back to item overview