Adding static security analysis into CI/CD pipeline is a great way to improve security and quality of the product’s codebase. But does it work as intended? Does a green pass mark really means there are no security defects left? Are we sure that all our code is even covered by the scans? And do we know how our programming paradigm affects the results? In this talk we’ll dive into types of static security analysis that currently exist, practically look into their respective strengths and weaknesses, and learn how to properly set up right tool for a project.