SA-11(1) asks for static analysis to be implemented. There's been recently an effort by prodsec to run tools developer by Kamil Dudka. There even seems to be a report:

https://docs.google.com/document/d/1Ob0hEWdWebM5Nvi68ab6iO-9SL555bKADjLX4EbVOmc/edit

But at the moment, it is unclear to me how the whole process works and at which point are the flaws pointed out to developers and acted on.

The control requires that:

The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

Acceptance criteria:

• find out if the work done by Kamil and prodsec is enough to satisfy SA-11(1)