Contents
Summary
Query: What are the primary barriers to adoption of comprehensive security scanning pipelines in open source projects, and what evidence exists for 'security fatigue' — the phenomenon where initial post-incident surges in security tooling adoption (e.g., after Log4Shell) reverse over time? What role do setup complexity, false-positive rates, and maintenance burden play in driving abandonment?
Bottom Line: Primary barriers are: lack of awareness, supply chain mistrust, high false positive rates (68-75% for SAST), setup complexity, and the perception that security features are unnecessary. Direct evidence for 'security fatigue' (spike-and-decline) is absent. The pattern is better characterized as persistent non-adoption. The Log4j case shows 13% still vulnerable 3+ years later despite a non-breaking fix, suggesting inertia rather than reversal.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
Documented barriers to security tooling adoption in open sou |
0 |
0 |
| S02 |
Security tooling adoption spikes and reversals after inciden |
0 |
0 |
| S03 |
False positive rates and alert fatigue in SAST and SCA tools |
0 |
0 |
| S04 |
Security fatigue as a documented phenomenon in the literatur |
0 |
0 |
| S05 |
Maintenance burden and setup complexity of security scanning |
0 |
0 |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://arxiv.org/html/2602.14572v3 |
High |
High |
| SRC002 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC003 |
https://github.com/ossf/scorecard |
High |
High |
| SRC004 |
https://www.blackduck.com/blog/open-source-trends-ossra-repo |
Medium |
High |
| SRC005 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC006 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC007 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC008 |
https://www.moderne.ai/blog/security-dependency-updates-unma |
Medium |
High |
| SRC009 |
https://konvu.com/compare/semgrep-vs-codeql |
Medium |
High |
| SRC010 |
https://arxiv.org/html/2605.07900v1 |
High |
High |
| SRC011 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC012 |
https://openssf.org/blog/2024/01/31/maintainer-motivations-c |
High |
High |
| SRC013 |
https://link.springer.com/article/10.1007/s10664-023-10369-w |
High |
Medium |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Medium |
| Source agreement |
High |
Revisit Triggers
- [study] A longitudinal study measuring security tool adoption rates before and after Log4Shell or XZ Utils is published
- [data_update] GitHub publishes time-series data on security workflow additions and removals
- [study] A study on security tool abandonment rates in open source is published
- [policy] NIST or a standards body publishes guidance specifically on security fatigue in developer tooling
- [organization] The OpenSSF Security Baseline gains sufficient adoption to generate adoption/abandonment statistics
← Back to run overview