Sign up for our newsletter!
Stay informed on the latest DevOps news

DevOps.com

ShiftLeft and CircleCI Strengthen DevOps Security by Inserting Code Analysis as Far Left as Developer Pull Requests

By: on 2 Comments

New Partnership and Product Integration Delivers the Industry’s Fastest and Most Accurate Vulnerability Scanning at One of the Earliest Stages in the CI/CD Pipeline

SANTA CLARA, Calif., Dec 04, 2019

ShiftLeft Inc., an innovator in automated application security, today announced a partnership and deep integration with CircleCI that enables organizations to insert security directly into developer pull requests from code repositories. ShiftLeft Inspect is the first static application security testing (SAST) vendor to partner with CircleCI to provide these capabilities.

Today’s organizations are working to insert security as far left in their DevOps process as possible, but many struggle to achieve the speed and accuracy necessary to automate security quality decisions. To date, the only tools that can run in the build phase take hours or days to scan, dramatically reducing developer velocity. These tools are also known to produce a large number of false positives, which means organizations aren’t willing to automatically fail builds without manually triaging results, which adds further delay.

Pull requests represent a critical phase for developers, as it is the phase in which new individual developer code is integrated into the overall codebase. By enabling SAST at pull requests, the right developer gets the right vulnerability information at the right time. Developers can more efficiently address vulnerabilities in their respective code, improving the overall security of the final build.

The partnership and integration enables CircleCI users to run ShiftLeft Inspect on CircleCI builds and pull requests from any code repository integrated with CircleCI. Pull requests and builds can then automatically be escalated, alerted upon or failed based on security criteria. Hence, CircleCI users can mirror their DevOps initiatives with DevSecOps goals.

“As a technology company with multiple products available on many platforms, we are always looking for the best ways to ensure our code is the highest quality and the most secure. We are excited to be working with ShiftLeft and in partnership with CircleCI to ensure our code pipeline produces secure code. The time and resources we save working with this product allows us to be more agile and more productive.” Rick Bohm, Vice President, Information Security, HomeAdvisor.

As part of the partnership, ShiftLeft Inspect will be free to CircleCI users for an unlimited number of applications and frameworks, totaling no more than 200,000 lines of code and 300 scans per year. The free license will include one programming language and enable CircleCI users to scan up to two applications concurrently.

“Today’s developers are building and delivering software at incredibly high velocity, which is required to meet the demands of organizations and customers,” said Tom Trahan, Vice President of Business Development, CircleCI. “Historically, security has been viewed as a step that slows down that velocity. CircleCI is excited to partner with ShiftLeft to enable developers to insert security further left in the CI/CD pipeline, for accurate vulnerability scanning.”

“When it comes to source code analysis, most of what’s being delivered today in application security is automation for automation’s sake. The tools on the market today aren’t actually enabling organizations to make the right decisions automatically,” said Alok Shukla, Vice President of Product Management, ShiftLeft. “With ShiftLeft and CircleCI, organizations and developers are able to make accurate, fast decisions when it comes to their release quality, further left in the development lifecycle than ever before. By inserting security as far left as the pull requests, we’re delivering industry-first SAST capabilities that will help our customers harness the benefits modern CI/CD pipelines without leaving security behind.”

The integration is immediately available to ShiftLeft customers and CircleCI users via CircleCI Orb that can be found at https://circleci.com/integrations/.

About ShiftLeft

ShiftLeft is a continuous application security platform, purpose-built for the modern software development life cycle. It combines next-generation static code analysis (to quickly and accurately identify vulnerabilities) with application instrumentation (to protect the application) in an automated workflow. This combination of runtime-informed code analysis and code-informed runtime protection delivers the most accurate, automated, and comprehensive application security solution. To learn how ShiftLeft keeps application security in sync with the rapid pace of DevOps, see https://www.shiftleft.io/.