Adopt
Static code analysis and quality gate. In active use at the pipeline level. Surfaces code smells, security hotspots, and coverage gaps on every PR. For a regulated product, the quality gate provides a lightweight but auditable code review checkpoint that complements the human review process.
Complements Snyk (dependency scanning) — together they cover the OWASP top 10 surface adequately for a team of this size.