Issues with CNAPP Scans Slowing Down Our CI/CD Pipeline

We're currently using CNAPP scans within GitHub Actions for both EKS and AKS, but the integration has turned out to be more fragile than we anticipated. We're facing frequent failures in pre-deploy scans due to problems like policy YAML parsing errors and issues with missing service account tokens in our dynamically mounted kubeconfigs. This ends up blocking a significant portion of our pipelines before the code even reaches the cluster.

On top of that, we've run into problems with agent-based visibility during runtime, especially due to the ephemeral nature of our namespaces. There's also the constant challenge of RBAC drift between clusters, which leads to agents failing to get basic permissions for deployment, leaving us with gaps in runtime coverage even if our builds pass. Managing RBAC across multiple clusters with frequent namespace changes has become a major operational headache.

What has worked better for us has been to minimize our reliance on in-cluster agents. We've found that API-driven scanning with stable service accounts is much more reliable and that using approaches providing pre-runtime visibility through network and identity context helps us avoid much of the fragility that comes with per-cluster agents.