[dschofie]

Definitely! A lot of this falls under the "reachability" umbrella. It's just a little harder to say if something is actually used vs just installed. For example, in your app you could exec a script which can be harder for tools to detect with accuracy and there are just quite a few edge cases to handle

[lysace]

I guess the scanner would need to be provided with runtime data, somehow. I.e. two phases of scanning, before and after deployment. Suddenly it's getting quite complex, especially if you include the security aspects of that scanner running in prod.