Just shoving a developer's IDE full of warnings from CVEs isn't terribly useful, because the CVE/CVSS system doesn't address real security issues well. It's not shifting left to show a bunch of red flags on written code. To really shift left, developers need training to learn how to write secure code and organizational support for application security to be part of the development process, not a nice to have that dropped when product demands new features on impossible deadlines.
