[Spivak]

Are there any good enterprise check-the-box compliance tools? Because having good security doesn't obviate needing to box-check for our certifications.

[candiddevmike]

Even worse, sometimes the good tools don't check the box because they lack some pointless certification or the CISO "doesn't recognize the name".

[PeterisP]

I have seen SonarQube do somewhat okay in this role; you may need some configuring for its detections to set what matters for you, but that applies for everything, doesn't it?