Subscribe to the Non-Human & AI Identity Journal

What do security teams get wrong about static scanning for modern application risk?

They assume static findings are enough to establish exposure. In practice, source code and configuration checks do not reliably show whether a runtime will accept a malicious payload or whether a package credential has already been abused. Teams need behavioural evidence, not just file-based evidence.

Why This Matters for Security Teams

Static scanning is useful, but it is not an exposure verdict. Source code review, dependency analysis, and configuration checks can show where risk exists, yet they do not prove whether a runtime will actually accept a malicious payload, whether a secret has already been abused, or whether an API path is reachable from the real attack surface. That gap matters because modern applications are assembled from packages, APIs, agents, and ephemeral infrastructure that change faster than a scan can explain.

Security teams also tend to overread clean scan results as proof of safety. The more accurate view is that static evidence is only one signal, and it must be paired with runtime context, identity controls, and behavioural verification. That is consistent with the broader direction in NIST Cybersecurity Framework 2.0, which treats risk management as an ongoing operational activity rather than a one-time assessment. NHIMG’s analysis of NHI risk shows why this matters in practice: the State of Non-Human Identity Security report found that 72% of organisations have experienced or suspect a breach of NHIs.

In practice, many security teams discover exploitability only after a package token, service credential, or exposed endpoint has already been used, rather than through intentional validation before release.

How It Works in Practice

Modern application risk has to be assessed as a combination of code, identity, runtime, and behaviour. Static scanning can tell a team that a dependency is vulnerable or that a secret is present in a repository, but it cannot tell whether the secret is active, whether it has scopes that matter, or whether the application can be reached in the environment where it actually runs. That is why current guidance increasingly pushes teams toward evidence from execution, not just files.

A practical workflow usually looks like this:

  • Use static scanning to find obvious defects, hardcoded secrets, weak dependency versions, and policy violations early in the pipeline.
  • Correlate findings with runtime telemetry, such as request traces, container behaviour, identity usage, and network exposure.
  • Validate whether a dependency or package credential is live, over-privileged, rotated, or already abused in production.
  • Prioritise findings that combine exploitability with reachability, not just severity labels.

This is especially important for non-human identities, because the attack path often runs through credentials, OAuth grants, service accounts, and automation tokens rather than through obvious code flaws. NHIMG’s OWASP NHI Top 10 guidance and the Top 10 NHI Issues both reflect the same operational lesson: identity misuse is often the real exposure, not the source file itself.

For modern stacks, teams should also add policy-as-code checks, continuous secret discovery, and runtime permission review so static findings are tested against what the application can actually do. These controls tend to break down in highly ephemeral Kubernetes, serverless, or agent-driven environments because the asset, identity, and network path may disappear before a traditional scan cycle can confirm exposure.

Common Variations and Edge Cases

Tighter static scanning often increases pipeline friction, requiring organisations to balance earlier defect detection against slower delivery and more false positives. That tradeoff becomes sharper when teams scan monorepos, generated code, or vendor-managed components, where a large percentage of findings may be technically true but operationally irrelevant.

There is also no universal standard for how much runtime evidence is enough. Best practice is evolving toward layered verification: static analysis for potential issues, dynamic testing for exploitability, and identity telemetry for actual access risk. In environments with heavy third-party integrations, OAuth applications, or automated build systems, the biggest blind spot is often not the vulnerability itself but the credential chain around it. The Ultimate Guide to NHIs — Why NHI Security Matters Now captures this shift clearly: security teams have to think beyond files and into machine-to-machine trust.

Static scanning still has value, but it should be treated as a screening mechanism, not a final answer. In practice, the safest prioritisation comes from combining code findings with live proof of reachability, privilege, and abuse potential.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 ID.RA Risk assessment requires evidence beyond static findings.
OWASP Non-Human Identity Top 10 NHI-03 Static scans miss credential abuse and weak NHI controls.
NIST AI RMF Explains why evidence-based risk decisions must be continuous.

Pair scan results with runtime exposure, abuse signals, and business context before prioritising fixes.