One way to take things out is to have something like Sonar on the CI/CD pipeline, configured exactly to take specific patterns out, that break the PR builds and won't get greelighted for merging.

Yeah, not everyone likes those of us that share development roles alongside security best practices enforcement.