Towards a concept of Security Specification for Software Supply Chain

There is a bevy of static analysis tools that scan source code for common … Can application security tools be designed with goals in mind? Of course … “If I use web framework P, what Q configurations should I enable to stay secure”.