This is not something we do on a daily basis. There are security teams that scan our code and using SecureCDK is a big part of it, but what is run per code commit is unit tests, integration tests, load tests, etc, not security tests. If you had 20 years of experience in software, you would know this.