(Rahul Mehta is working as a DevSecOps engineer in an IT company that develops cloud-native...

In a mature DevSecOps pipeline, security controls are enforced asgates, not merely as informational checks. When an SCA tool detects acritical vulnerabilityin a dependency—whether direct or transitive—the correct response at the Build and Test stage is tofail the build. This prevents vulnerable artifacts from moving forward into later stages such as deployment or production, where remediation would be more expensive and risky. Allowing the build to continue, even with notifications, contradicts the shift-left security principle. Ignoring transitive dependencies is also dangerous, as many real-world vulnerabilities originate from indirect libraries. Failing the build forces developers to remediate the issue immediately by upgrading, replacing, or mitigating the vulnerable dependency. This approach reduces attack surface, enforces accountability, and ensures that only secure artifacts are released. Therefore, stopping the pipeline upon detection of critical vulnerabilities reflects a strong DevSecOps maturity model and effective security governance.