Q002 — Barriers to OSS Security Scanning Adoption — Medium
Contents
Summary
Query: What are the primary barriers to adoption of comprehensive security scanning pipelines in open source projects, and what evidence exists for 'security fatigue' — the phenomenon where initial post-incident surges in security tooling adoption (e.g., after Log4Shell) reverse over time? What role do setup complexity, false-positive rates, and maintenance burden play in driving abandonment?
Bottom Line: The primary barriers are: (1) lack of awareness of available security tools and features; (2) perception that security tooling is not necessary; (3) extreme false-positive rates of 60-91% out of the box creating alert fatigue; (4) supply chain mistrust and lack of automation. Direct empirical evidence for temporal 'security fatigue' (post-incident surges followed by reversal) was not found. Log4j data shows persistent vulnerable consumption declining slowly (from 30-35% to 13% over three years), consistent with gradual attention decay but not a clear surge-and-reversal cycle.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
Documented barriers to security tooling adoption in OSS |
0 |
0 |
| S02 |
Post-incident security tooling adoption surges and decay |
? |
? |
| S03 |
False positive rates and alert fatigue in SAST/SCA tools |
0 |
0 |
| S04 |
Setup complexity and maintenance burden as adoption barriers |
? |
? |
| S05 |
Post-incident security tooling adoption surges and decay |
? |
? |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://mir.cs.illinois.edu/marinov/publications/HiltonETAL1 |
High |
High |
| SRC002 |
https://arxiv.org/html/2602.14572v3 |
High |
High |
| SRC003 |
https://www.blackduck.com/blog/open-source-trends-ossra-repo |
High |
High |
| SRC004 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC005 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
High |
High |
| SRC006 |
https://www.sonatype.com/press-releases/sonatypes-10th-annua |
High |
High |
| SRC007 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC008 |
https://github.com/ossf/scorecard |
High |
High |
| SRC009 |
https://blog.jetbrains.com/teamcity/2025/10/the-state-of-cic |
Medium |
Medium |
| SRC010 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC011 |
https://www.pixee.ai/blog/sast-false-positives-reduction |
Medium |
High |
| SRC012 |
https://thenewstack.io/checking-linuxs-code-with-static-anal |
High |
High |
| SRC013 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
High |
High |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Medium |
| Source agreement |
Medium |
Revisit Triggers
- [study] A longitudinal study measuring security tool adoption before and after Log4Shell (or XZ Utils, 2024) is published.
- [data_update] GitHub publishes temporal data on security feature enablement (CodeQL, Dependabot, secret scanning) showing adoption curves.
- [study] An academic study measuring CI security tool abandonment rates is published.
- [study] The Ghost Security false-positive rate study is published as a standalone, peer-reviewed paper.
← Back to run overview