DEV Community

Vickie Li for ShiftLeft

Posted on • Originally published at blog.shiftleft.io on

Announcing the Velocity Update for ShiftLeft CORE

We are excited to announce the Velocity Update for our application security platform, ShiftLeft CORE! With this update, AppSec and Development teams can fix security issues in source code even more quickly and efficiently. The update adds a number of improvements to the platform that can be found at the end of this post. A few of the highlights include:

  • Improved automation tools
  • Streamlined developer workflows
  • Expanded language support


ShiftLeft CORE’s Velocity Update includes an improved dataflow view that makes it easier to triage attacker reachable open-source and custom code vulnerabilities

When we released ShiftLeft CORE last year, it marked a turning point in the way development teams triage and remediate vulnerabilities. Because the platform analyzes custom and open-source code in a single scan, teams can see if both CVEs and custom code vulnerabilities are attackable (short for “attacker reachable”). Attackable vulnerabilities have the evidence of a dataflow that proves they can be found and exploited by malicious users. Not only does ShiftLeft CORE provide this added context for triaging and fixing vulnerabilities, but it does so with fast, repeatable scans that can be automated alongside unit tests in the pull request.


The Velocity Update streamlines security testing and remediation so teams release secure code more quickly

In the AppSec Shift Left Progress Report that we put out last summer, we observed that the speed of the tool and ease of integration was leading customers to scan more frequently. Across all customers, 17% of apps were scanned at least daily and 46% were scanned at least. This is significantly higher than published reports by legacy providers like Veracode. Specifically, ShiftLeft customers scan 56 times more apps daily and 14 times more weekly than customers using legacy tools.

The report also showed that customers were fixing faster. Enterprise customers who enforced build rules fixed 91% of vulnerabilities within two sprints of discovery. This data leads us to conclude that ShiftLeft CORE users get the insight they need when they need it to match speed with modern development cycles.

The Velocity Update builds on the strengths of this platform while also addressing areas we wanted to improve. As mentioned earlier, customers using Build Rules have achieved phenomenal fix rates. This is to be expected; automating security standards by scanning every pull request and intercepting when necessary should lead to fewer vulnerabilities reaching production. But, it can be challenging to build agreement across teams around a process that will disrupt a release.

With the Velocity Update comes “ Build Rules v2 ,” an upgrade that allows teams to break builds based attackable Intelligent-SCA findings. These findings are particularly strong evidence that real security risk is headed for production and should be intercepted. They combine known open source vulnerabilities in the form of CVEs along with the evidence of a dataflow that connects the vulnerability to an attacker controlled source. Together these prove that there is a real vulnerability in the code and that it can be found and exploited by a malicious user.


Build Rules v2 allows teams to block builds based on attacker reachable open-source CVEs in addition to custom code vulnerabilities. Anybody with access to the pull request can see the issues that caused the build to fail the test.

The Velocity Update also improves the remediation experience for developers. Improved vulnerability descriptions provide a code-specific explanation of an issue right in the vulnerability view. Developers still have access to interactive lessons through ShiftLeft Educate for deeper training. This update benefits those who need a quick refresher to speed up their fix.


Improved vulnerability descriptions provide language-specific code examples to explain vulnerabilities right in the remediation view

Another developer-centric feature in the Velocity Update, Interactive Remediation, incorporates developer feedback into the scans themselves. Some developers use custom functions to sanitize dataflows in their application. These functions are detected by static application security testing (SAST) but are not recognized as security measures. With Interactive Remediation , developers can configure ShiftLeft CORE to recognize these custom methods so they are suppressed in future scans.

And last but not least, the Velocity Update brings expanded language support. For the first time, ShiftLeft CORE will perform SAST scans of mobile apps! Our support for apps written in Kotlin is now in preview. This means teams will soon get feedback as early as every pull request on attackable vulnerabilities in their mobile apps. We have also expanded language support for Intelligent-SCA. Teams who have been using ShiftLeft CORE to find custom code vulnerabilities in Python , can now find attackable open-source vulnerabilities as well. And finally, good news for Go developers, I-SCA support for Go is now in beta.

Features included in the Velocity Update are:

Language support updates

  • Kotlin for SAST (in preview) — Find custom code vulnerabilities with attacker reachable dataflows in mobile apps
  • Python I-SCA update  — Python scans now show attacker reachable open-source packages with CVEs
  • Go I-SCA update (in beta) — Go scans now show attacker reachable open-source packages with CVEs

Workflow and UI updates

  • Build rules v2  — Rules that can be set to intercept a pull request can now trigger if the code contains attacker reachable open-source CVEs
  • Interactive remediation  — Automatically incorporate developers’ custom validation or sanitization methods in scan results
  • Improved data flow visualization  — Makes it easier for engineers to browse attacker reachable dataflows
  • Telemetry in dashboard  — Makes it easier to debug CI/CD integration and other issues using detailed scan data and custom tags
  • Improved vulnerability descriptions  — More detailed explanation of vulnerabilities with language-specific code examples showing best practices, and contrasting code examples of common errors
  • Branch selection  — For customers with multiple teams working on the same app, this feature helps focus developers on results relevant to their workflow while still giving AppSec visibility over all branches.
  • General UI update  — We have updated the look and feel of the summary and remediation views based on input from our users. Some features include: 1) Apps dashboard now can be sorted on attacker reachable vulnerabilities, scan date, and other data 2) All findings are summarized on the dashboard for the last scan of the application by default 3) Applications can be sorted and grouped directly from the UI. 4) Language-based search for application is available directly from the dashboard

It’s never been a better time to see ShiftLeft CORE in action for yourself. The base account is free, does not require a credit card, and the platform never sends your source code to the cloud. In addition to the great new features above, any accounts created before the end of February 2022 are eligible for an extended premium trial with unlimited scans of 20 apps for 60 days .


Top comments (0)