Pattern matching is fast, but security review needs more than regex. Structural parsing is what makes it possible to distinguish dangerous interpolation from safe parameterization.
That lesson carried directly into BugLens. Security feedback only matters if the review can point at the code shape that makes an issue real.
A good scanner does not just find risk. It reduces noise enough that developers continue trusting the tool after the first week.