By the numbers
01 · The challenge
A global financial services company, operating in a highly regulated, security-sensitive environment, set out to reduce security risk and improve developer velocity without sacrificing control or compliance. Its footprint spanned hundreds of Java-based services with inconsistent versions of critical frameworks like Spring Boot and complex dependency trees across GitHub-hosted monorepos.
The team already had mature DevSecOps practices, including static analysis and vulnerability scanning, but the real bottleneck was remediation. Alerts were surfaced, yet upgrading packages, removing deprecated methods, and verifying safe implementation still fell on developers. Each team modernized a little differently, leading to duplicated effort and inconsistent outcomes. The goal was not to overhaul broken systems; it was to scale excellence by codifying best practices as policy and enforcing them automatically.
02 · The solution
To scale secure code remediation across hundreds of applications, the platform engineering team brought in Moderne. While they had experience with the open-source OpenRewrite framework, they needed something purpose-built for large organizations that could run changes safely across dozens of teams, enforce consistency, and integrate with existing tooling. By connecting Moderne to GitHub and CI/CD, the team shifted from reactive, manual work to a proactive, repeatable process.
- Upgrading vulnerable libraries by automatically updating dependencies and cleaning up risky patterns.
- Modernizing frameworks, streamlining the migration to Spring Boot 3.0 and Java 17 without custom scripts per team.
- Building reusable internal recipes to enforce secure defaults and meet compliance requirements.
- Integrating automated code changes into GitHub pipelines so teams validate and deploy with minimal manual effort.
03 · The results
By integrating Moderne into their software delivery lifecycle, the team improved both security posture and developer efficiency. What once required weeks of coordination across security, development, and QA could now be executed in hours through safe, repeatable code transformations. Security updates that had been deprioritized due to manual overhead became part of an automated process.
Teams could respond to emerging CVEs quickly, validate changes in staging, and push updates across production systems without writing custom scripts or slowing delivery. Validating changes across hundreds of repos in parallel helped the company maintain consistency and compliance, even across decentralized teams and legacy systems.
See deterministic, estate-wide code change on your own repositories.