How would you harden a CI/CD pipeline to prevent common vulnerabilities from reaching production at SAS?