ShiftLeft Scan was built with usability and rapid time-to-value in mind. It can be deployed with one-click from marketplace integrations for popular DevOps tools and cloud infrastructure vendors. Alternatively, packages and source code can be downloaded directly from ShiftLeft Scan’s code repository. Documentation and licensing are also available online.
ShiftLeft Scan leverages the best open source scanning tools, specifically chosen for their efficacy in each supported programming language. Some languages (Java, Python, Golang, etc.) combine and tune multiple open source scanning tools for best results, while other languages (Kotlin, Apex, Ruby, etc.) are well covered by just one open-source scanning tool. Some of the open-source tools include FindSecBugs, pmd, and gosec and more.
Unlike custom code, open-source libraries often have known vulnerabilities that increase your application’s attack surface. ShiftLeft Scan’s dependency security is powered by cdxgen and vulnerability-db and supports the grafeas format. It determines which libraries are in source code, which versions they are and looks up corresponding known vulnerabilities in CVE databases. However, existing open vulnerability databases have as much as 20% inconsistency across libraries, version numbers and CVE identification numbers. Hence, ShiftLeft Scan also includes additional standardization to maintain high quality results above and beyond the core open source tools it leverages.
Hard-coded usernames, passwords, tokens and other secrets in the source code are an increasingly common security risk. As microservice architectures and API usage become more prevalent, developers increasingly need to exchange credentials and other secrets internally and/or externally. This leads many organizations to take shortcuts because setting up proper authentication schemes can be cumbersome and time-consuming.
ShiftLeft Scan was built with the goal of providing developers with a seamless workflow to automate security across various phases of the SDLC. Hence, ShiftLeft Scan leverages the Static Analysis Results Interchange Format (SARIF) and includes pre-built integrations into common DevOps tools and IDEs. All ShiftLeft Scan’s security capabilities can be automated while developers code, at the pull request and/or during builds. Pre-built integrations are available for Azure DevOps Pipelines, Github Actions, GitLab CI, Google CloudBuild, CircleCI, Jenkins, Travis CI, D2IQ Dispatch, and Visual Studio.
ShiftLeft Scan supports multiple programming languages and frameworks, including Apache Velocity, bash, Golang, Java, JSP, Node.js, Oracle PL/SQL, Python, Rust (dependency & license scans only), Salesforce Apex, Salesforce Visual Force and Terraform.
ShiftLeft Scan itself is open source and free under the GPLv3 license and it leverages the best open-source application security tools. Multiple open-source tools were evaluated for speed and accuracy prior to selecting the best of each tool type for each programming language. Furthermore, when beneficial, multiple tools were combined and/or tuned for optimal results.