I don't have confidence about scans in general against novel attacks. Scans are effective against the threat model of off-the-shelf attacks, not a threat model of highly motivated, highly-skilled attackers capable of inserting subtle defects anywhere in a giant codebase.