what is the best way to report internal security concerns in a corporate environment - eviltoast

I have repeatedly fund security concerns when working on internal applications. Simple things like sql injection, hard coded credentials, and privileged containers being run as the standard. I brought these up with my team lead, but he says that since its in the dev environment, it does not matter. To me, that is the totally wrong attitude to have about security. We should teach our developers how to not make these mistakes and fix them as we find them. Should I go over his head to report it to other managing parties? I want to say more, but am being as vague as possible just in case. How do I go about reporting internal vulnerabilities in a responsible way that won’t make everyone hate me? I honestly believed that people would be happy to hear about their problems from me rather than get exploited but it does not seem to be the culture here.