I am saying "Developers do not want : 1 - Pay A LOT of money for advanced solutions that are more than AST checkers (hello SonarQube) or big piles of false positives. 2 - Add overhead to their workflows (more than an IDE plugin is harmful, and what happens with those devs not using an IDE?). 3 - Spend time on figuring out if the static analysis results make sense or not, one by one.

A typical SCA tool can report hundreds or thousands of occurrences for a certain code base. How are developers going to deal with them?

I am from engineering background and not soley a software guy, so forgive me my different view on this topic.

I learned, that every error you can fix early on will cost you about 10x to fix in the next stage.

All the new principles like Agile have not changed that.

I think the idea is not that it's not worth to fix errors as soon as possible (which it is), but that static analysis tools provide too many false positives and too many non-errors to be useful.

I guess you can combine the points: if you use static analysis from the start / have it configured right then the amount of false positives should stay relatively low.