Behave as adults
I recently worked on a government project which required slightly higher security than normal. Security painted several stakes in the ground such as all libraries must be scanned and vetted, all tools must be scanned and vetted, patch levels must stay in synch etc. In other words, be having as adults.
The resistance on the team was unbelievable. They were all refugees from the private sector ( *cough* CA *cough* HPE *cough* IBM *cough* Oracle *cough*) who were working fast and loose with OSS to meet marketing deadlines.
I was working QA at the time and was backing up the security team. We was working to help ensure they played nice. Telling them things like they could not use the latest shiny shiny without proper vetting did not go over well. They kept screeching "waterfall! waterfall!" when it really wasn't. It was just another requirement to meet.
Your basic private sector developer has no clue what a modicum of security means and DevOps "Engineers" had no real ideas in the beginning on how to implement it. It took quite a while to get it right. But there was no compromise on meeting the minimum standard.
But basically it came down to vet the libraries, scan them, patch ASAP, vet and scan your own code, and good QA which included tests for various vulnerabilities. Basically, behave as responsible adults.
One thing we did do which security was quite happy about was in code reviews in pull requests. It even allowed us to meet some requirements immediately. They accepted as good practice without much fuss.
So just be an adult!