How can I implement security scanning without slowing down my workflow?

You're spot on about the timing! Pre-commit checks can feel too late since you've often written the vulnerable code by then. Try using IDE plugins that highlight issues in real-time, almost like auto-complete suggestions. This integrates security checks into your coding flow rather than saving everything for the commit stage.

Honestly, I think you should consider switching some of these checks to your CI pipeline instead. Commit-time checks can really disrupt development. Let the CI catch those issues in the background, that way developers can keep their focus without constantly being blocked by the hooks.

For sure, having that 3-5 minute wait is a productivity killer. The solution is to flag issues as you code, not just at the end. Tools like Checkmarx can provide real-time feedback by scanning your code continuously while you type. That way, the pre-commit hooks can serve as a final safety net instead of a bottleneck. It's not perfect, but at least you won't lose your train of thought waiting for the scans every time.

I totally get where you're coming from! Pre-commit hooks that take too long just push developers to skip them. The trick is to move that scanning into your IDE. This way, you catch problems as you're coding rather than being blindsided at commit time. This approach makes the pre-commit scan a much quicker sanity check instead of a surprise debugging session later on.

I've found that anything taking too long can go in a separate repo, and try not to change it frequently. Keeping heavy scans out of the main workflow can help a lot. You want to minimize the pain for developers while maintaining coverage.