The huge advances in 'Shift Left' processes makes it possible to deliver code to production that is secure and largely free from vulnerable dependencies. Among other things, these processes typically involve matching dependencies against public vulnerability lists from Mitre, Red Hat, Debian, and other projects.
'Shift Left' Scanning Alone Does Not Go Far Enough to Identify Production Vulnerabilities
Vulnerability lists don’t stand still. CVEs are published through the NVD at a rate of about 50 per day, so the risk of a new vulnerability being found in production is significant. Furthermore, third-party production components may not be scanned in a way that is as rigorous or up-to-date as you would like.