Hey Tom,
You said you know there are self hostable code scanning tools and you are correct. I use kics.io in my CI pipelines to scan my ansible playbooks it was really easy to setup and can run locally in a container or it is available in some packages managers, but it only does infra as code tools. There are secrets only tools like gitleaks and git-secrets. For enterprises there are tools like sonar cube which are self hosted and SaaS tools like Synk that can also run in your IDE. Side note along with secret scanning tools like kics and ansible-lint can be run in a CI pipeline to shame you for bad infra as code practices.
I think it would be a great topic to dive into for the homelab show, and build on the previous episodes about configuration management and CI/CD