http://software-security.sans.org/blog/2016/04/12/static-analysis-and-code-reviews-in-agile-and-devops