Code review checks for what's there. Static analysis checks for what's missing. That asymmetry is why a codebase can have CI, tests, TypeScript strict mode, and two years of feature PRs — and still ship 6 distinct vulnerability classes that no reviewer caught. Not because reviewers were careless. Because every one of these bugs required noticing the absence of something: a missing decorator, a missing pipe, a missing guard. That's off the mental stack when you're reading route logic. The first run of eslint-plugin-nestjs-security on a 40K-line production codebase took 12 seconds. It found 47 violations. Here are all 6 — and exactly why each one survived code review. 1. Unguarded Controllers (CWE-284) What the code looked like: @ Controller ( ' admin ' ) export class AdminController { @ Get ( ' users ' ) async getAllUsers () { return this . usersService . findAll (); } @ Delete ( ' user/:id ' ) async deleteUser (@ Param ( ' id ' ) id : string ) { return this . usersService .…