Debating with a friend about #CodeScanner services like https://snyk.io ($5bn valuation); it strikes me that a tool which finds holes in #OpenSource apps should themselves be Open Source, no? Else why should we trust a closed app to make our open apps trustworthy? 🧐