The Most Accurate Code Analysis

Get Started in Under 10 Mins

ShiftLeft Scan was built with usability and rapid time-to-value in mind. It can be deployed with one-click from marketplace integrations for popular DevOps tools and cloud infrastructure vendors. Alternatively, packages and source code can be downloaded directly from ShiftLeft Scan’s code repository. Documentation and licensing are also available online.

For live support weekly "Office Hours" are held with ShiftLeft Scan creator, Prabhu Samramanian, every Tuesday at 10am Pacific. Sign-up here.

 
Secure Custom Code with Static Analysis (SAST)

Secure Custom Code with Static Analysis (SAST)

ShiftLeft Scan leverages the best open source scanning tools, specifically chosen for their efficacy in each supported programming language. Some languages (Java, Python, Golang, etc.) combine and tune multiple open source scanning tools for best results, while other languages (Kotlin, Apex, Ruby, etc.) are well covered by just one open-source scanning tool. Some of the open-source tools include FindSecBugs, pmd, and gosec and more.

Secure Custom Code with Static Analysis (SAST)
 
Secure Open Source Libraries (SCA)

Secure Open Source Libraries (SCA)

Unlike custom code, open-source libraries often have known vulnerabilities that increase your application’s attack surface. ShiftLeft Scan’s dependency security is powered by cdxgen and vulnerability-db and supports the grafeas format. It determines which libraries are in source code, which versions they are and looks up corresponding known vulnerabilities in CVE databases. However, existing open vulnerability databases have as much as 20% inconsistency across libraries, version numbers and CVE identification numbers. Hence, ShiftLeft Scan also includes additional standardization to maintain high quality results above and beyond the core open source tools it leverages.

Secure Open Source Libraries (SCA)

Audit Open-Source Licenses

As modern software development becomes more reliant upon open-source libraries, understanding and auditing the licenses of consumed libraries becomes an essential part of protecting and managing intellectual property.

Audit Open-Source Licenses
Detect Hard-Coded Secrets

Detect Hard-Coded Secrets

Hard-coded usernames, passwords, tokens and other secrets in the source code are an increasingly common security risk. As microservice architectures and API usage become more prevalent, developers increasingly need to exchange credentials and other secrets internally and/or externally. This leads many organizations to take shortcuts because setting up proper authentication schemes can be cumbersome and time-consuming.

Detect Hard-Coded Secrets

Integrated Workflows

ShiftLeft Scan was built with the goal of providing developers with a seamless workflow to automate security across various phases of the SDLC. Hence, ShiftLeft Scan leverages the Static Analysis Results Interchange Format (SARIF) and includes pre-built integrations into common DevOps tools and IDEs. All ShiftLeft Scan’s security capabilities can be automated while developers code, at the pull request and/or during builds. Pre-built integrations are available for Azure DevOps Pipelines, Github Actions, GitLab CI, Google CloudBuild, CircleCI, Jenkins, Travis CI, D2IQ Dispatch, and Visual Studio.

Integrated Workflows

Language & Framework Support

ShiftLeft Scan supports multiple programming languages and frameworks, including Apache Velocity, bash, Golang, Java, JSP, Node.js, Oracle PL/SQL, Python, Rust (dependency & license scans only), Salesforce Apex, Salesforce Visual Force and Terraform.

  • Apache
  • Bash
  • Golang
  • Java
  • JSP
  • Nodejs
  • PL/SQL
  • Python
  • Rust
  • Salesfors Apex
  • Salesfors Visualforce
  • tTerraform

An Open-Source Platform Leveraging the Best Open-Source Tools

An OpenSource Platform Leveraging the Best Open-Source Tools

ShiftLeft Scan itself is open source and free under the GPLv3 license and it leverages the best open-source application security tools. Multiple open-source tools were evaluated for speed and accuracy prior to selecting the best of each tool type for each programming language. Furthermore, when beneficial, multiple tools were combined and/or tuned for optimal results.

An OpenSource Platform Leveraging the Best Open-Source Tools