If you work at a real enterprise that actually takes security seriously I can assure you a large portion of it is not theater. You will find this out when they come knocking and point out something boneheaded that happened on your watch. I once had an intern that mistakenly committed a non-prod credential into source control. They realized their mistake and replaced it with a token. But not before it had triggered some infosec alert and they blasted me with a stern “ACTION REQUIRED” email. I also had people on my team get snagged by simulated phishing emails and other such things which are run constantly.

> But not before it had triggered some infosec alert and they blasted me with a stern “ACTION REQUIRED” email.

Why didn’t it fail the build before it was committed if they can automatically do this