Secure software development has become a priority for all organizations, whether they build software in-house or outsource. Code analysis is now the de facto choice to introduce secure development, as well as measure inherent software risk. Many assume that code analysis requires code compilation as a prerequisite. Today, all major static code analyzers are built on this assumption and only scan post compilation requiring buildable code. The reliance on compilation has major and negative implications for all stakeholders: developers, auditors, CISOs, as well as the organizations that hope to build a secure development lifecycle (SDLC).