Advisories

14 March 2022

We're in the process of migrating the ShiftLeft application domain from https://www.shiftleft.io to https://app.shiftleft.io. The ShiftLeft website, however, will remain at https://www.shiftleft.io.

With this change, we will be able to provide you with increased security and performance.

You can begin using https://app.shiftleft.io today. We will support the use of both domains through 1 August 2022; at that point, you must use https://app.shiftleft.io for ShiftLeft CORE.

What this change means for ShiftLeft users

Due to the updated domain name, you may need to make the following changes:

  • Update any old sl binaries that might be using https://www.shiftleft.io
  • Update your firewalls; see our updated list of URLs that you should allowlist
  • Update any scripts calling ShiftLeft URLs (e.g., scripts calling the ShiftLeft API, any Terraform modules you use to deploy ShiftLeft CORE)
  • Update your SAML/SSO configuration

Please ensure that you've updated the domain name by 1 August 2022. We recommend that you implement any necessary changes and test before the changeover date.

25 October 2021

Our research team has learned that the ua-parser-js package has been compromised with malicious code by threat actors. The versions affected include:

  • pkg:npm/ua-parser-js@0.7.29
  • pkg:npm/ua-parser-js@0.8.0
  • pkg:npm/ua-parser-js@1.0.0

You can read more of our research in this article.

As of 25 October 2021, a review of dependencies used by active I-SCA customers shows that none of the applications scanned by ShiftLeft CORE are using affected versions of ua-parser-js.

Recommendations

  • Avoid upgrading or rolling back to the affected versions of ua-parser-js.
  • Scan your applications to generate a new SBoM and check for the versions listed above.