Catch vulnerabilities in the PR loop, not in production. The three pillars of CI security and how to make them bearable, not noisy.