Q002 — Barriers to Security Scanning: Complexity Over Fatigue — Medium
Contents
Summary
Query: What are the primary barriers to adoption of comprehensive security scanning pipelines in open source projects, and what evidence exists for 'security fatigue' — the phenomenon where initial post-incident surges in security tooling adoption (e.g., after Log4Shell) reverse over time? What role do setup complexity, false-positive rates, and maintenance burden play in driving abandonment?
Bottom Line: The primary barriers are complexity/awareness, false positive rates, and maintenance burden. Evidence for 'security fatigue' as a temporal pattern is suggestive but not directly demonstrated. The pattern of persistent vulnerable consumption is better characterized as structural friction than episodic fatigue.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
Primary barriers to security tool adoption in open source |
? |
? |
| S02 |
Post-incident security tool adoption surges and reversals |
? |
? |
| S03 |
False positive rates and alert fatigue in security scanning |
? |
? |
| S04 |
Security tool abandonment and maintenance burden |
? |
? |
| S05 |
Primary barriers to security tool adoption in open source |
? |
? |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://mir.cs.illinois.edu/marinov/publications/HiltonETAL1 |
High |
High |
| SRC002 |
https://decan.lexpage.net/files/SANER-2022a.pdf |
High |
High |
| SRC003 |
https://www.sciencedirect.com/science/article/abs/pii/S01641 |
High |
High |
| SRC004 |
https://blog.jetbrains.com/teamcity/2026/03/best-ci-tools/ |
Medium |
Medium |
| SRC005 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC006 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC007 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC008 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC009 |
https://www.pixee.ai/blog/sast-false-positives-reduction |
Medium |
High |
| SRC010 |
https://embeddedbits.org/how-is-the-linux-kernel-tested-embe |
Medium |
High |
| SRC011 |
https://www.kernel.org/doc/html/v6.5/dev-tools/testing-overv |
High |
High |
| SRC012 |
https://arxiv.org/html/2605.07900v1 |
High |
High |
| SRC013 |
https://www.nist.gov/news-events/news/2026/04/nist-updates-n |
High |
High |
| SRC014 |
https://www.moderne.ai/blog/security-dependency-updates-unma |
Medium |
High |
| SRC015 |
https://contribute.cncf.io/resources/services/hosted-tools/ |
High |
Medium |
| SRC016 |
https://www.linuxfoundation.org/research/maintainer-perspect |
High |
High |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Medium |
| Source agreement |
High |
Revisit Triggers
- [data_update] GitHub publishes aggregate Dependabot alert dismissal rates or code scanning alert response rates.
- [study] An academic study measures security tool adoption rates before and after Log4Shell using longitudinal CI configuration data.
- [study] GitHub Actions workflow repository mining study tracks tools added then removed from CI configurations over time.
- [study] A replication of the mixed-methods maintainer study (arxiv 2409.07669) with a larger sample confirms or revises the barrier rankings.
← Back to run overview