2021

14 December

This is an update regarding ShiftLeft CORE and CVE-2021-44228, the critical vulnerability in the Log4j 2 library that allows unauthenticated remote code execution.

Shortly after the announcement of this vulnerability, we added CVE-2021-44228 to our database. Additionally, our engineering and operations teams have audited and patched up all vulnerable code and systems within our infrastructure. We began this process on Friday and completed the work over the weekend.

We have not detected any attempts to exploit this vulnerability against our systems. We continue to monitor the situation closely.

30 November

Highlights: Kotlin support, scan details for applications, and automatic detection of Git branch names

What’s new

  • Kotlin: We are pleased to announce beta support for Android applications written in Kotlin.

  • Scan details for applications: As part of your scan results, ShiftLeft now displays detailed information about the analysis, including the version ID, size of your application/lines of code, the token used to authenticate with ShiftLeft and begin the scan, and the specific parameters provided.

  • Automatic detection of Git branch names: When running sl analyze, you can provide the name of your branch so that your results are easily identifiable. However, if you’re working with Git, ShiftLeft now detects the name of your Git branch automatically and uses it.

20 October

Highlights: updates to sl analyze, adding sl remediation, and Dashboard and application summary refresh

What's new

  • Modifying the severity of findings: We have deprecated the sl modify-findings command, which had been used by administrators to change the severity of findings after code analysis based on pre-defined rules. Now, ShiftLeft automatically performs this action as part of the sl analyze invocation if you have modification rules defined.

  • Suppressing findings: Our sl remediation feature allow you to suppress findings identified by ShiftLeft based on patterns you define.

  • Dashboard: We are pleased to announce that we have released a refresh of the ShiftLeft Dashboard. In addition to new styling, you will see:

    • Detailed findings counts, including reachable/unreachable OSS vulnerabilities, secrets, and insights (for JavaScript users)
    • Scan details, including the name of the Git branch and timestamps
    • The ability to create an app group via the Dashboard (previously, you could only do so using the ShiftLeft CLI)
  • Application summary view: In addition to refreshing the Dashboard, we have revamped the application summary view.

AWS Marketplace: ShiftLeft CORE is now available on the AWS Marketplace. AWS users now have an additional option for procuring ShiftLeft.

1 September

Highlights: SCA for JavaScript, sending build rule notifications to Jira, and the org owner role

What's New

  • SCA for JavaScript: We're pleased to announce that ShiftLeft now identifies open-source vulnerabilities when scanning JavaScript applications.

  • Send build rule information to Jira: The check-analysis command now accepts the --create-jira-issues flag. When using this flag, ShiftLeft will send findings that fail your build rules to Jira, where Jira will create issues for those findings.

  • Org Owner role: We've added the org owner role to ShiftLeft. The org owner is presumed to be the person creating the ShiftLeft org, but you can change this if desired. Org owners are automatically assigned super user privileges.

15 August

Highlights: RBAC and C# updates

What's New

C#: We’re pleased to announce that our C# analysis engine now supports the use of lambda and local functions.

RBAC: We’ve added detailed tables to our RBAC documentation that clarify the specific rights and privileges granted to each of the roles available.

31 July

Highlights: C# 9/.NET 5, access tokens for CI integrations

What's New

15 July

Highlights: role-based access control (RBAC), updated C# support

What's New

  • Role-Based Access Control (RBAC): ShiftLeft now features role-based access control, which allows you to assign permissions to users based on their role within an organization or a team, instead of individually. This approach is more straightforward and less error-prone.

  • C# Applications Support: We have updated ShiftLeft to support more recent versions of the .NET Framework and .NET Core in your runtime and build environments.

28 May

Highlights: new Python deep analyzer in NG SAST and addition of the ShiftLeft plugin for Jira to the Atlassian Marketplace

What's New

  • Python deep analyzer for NG SAST: We’ve updated NG SAST to use the CPG deep analyzer to analyze applications written in Python. See our blog announcement for under-the-hood information, and review our documentation on scanning your Python applications.

  • ShiftLeft Plugin for Jira: Our plugin, which allows you to use Jira to help manage vulnerabilities identified, is now available on the Atlassian Marketplace.

15 April

Highlights: ShiftLeft CORE (including Intelligent SCA and developer education tools), added support for apps using Vue.js, and GitLab tutorial updates

What's New

  • ShiftLeft CORE: You’ll notice a bit of new terminology on our website, specifically ShiftLeft CORE, which is our code security platform leveraging our Code Property Graph to offer you next-generation SAST, secrets detection, insights, Intelligent SCA, and developer education! Read more about each aspect of our platform on our blog.

  • Intelligent SCA: We’ve released Intelligent SCA, which allows you to identify vulnerabilities introduced into your application via third-party libraries, SDKs, APIs, and so on, then prioritize them based on whether they can be easily exploited or not.

  • Developer Education: We are pleased to announce two new learning resources. The first is ShiftLeft Learn, where you can go to learn about OWASP vulnerabilities and how you can go about mitigating them using NG SAST. In addition to free learning modules, you’ll find tips and tricks for managing your AppSec process, an invitation to our Discord community, and webinars (both recorded and live) focusing on advanced concepts.

    The second is a built-in Security Training feature, where you can access a training module. Whenever you open up the Vulnerability Detail panel, you’ll see a link that takes you to a tutorial that’s relevant to the finding (for example, the command injection vulnerability leads you to a module on what a command injection is and how you might handle this type of vulnerability).

  • Vue.js Support: We have added full support for the Vue.js framework, and we offer a sample application featuring this framework for your review.

  • GitLab Tutorial Update: We’ve updated and simplified the configuration files required to integrate NG SAST into your GitLab integration.

1 March

Highlights: Updates to the ShiftLeft CLI tool, new documentation, and security tutorials fresh on the blog

What’s New

  • We’ve added two commands to the ShiftLeft CLI tool:

    • The sl subscription command allows you to return information about your ShiftLeft subscriptions, including when they’re valid, as well as what your current usage and maximum usage levels are

    • The sl count-lines command command allows you to count the number of lines in a directory, which helps you determine if the workstation on which you’re running NG SAST has sufficient resources to support the scan

  • We’ve made a series of updates to our Documentation that you may find helpful:

    • Policies are powerful tools that allow you to describe the data and methods in your application, as well as how they relate to each other. This information enhances the code property graph generated, which is helpful to NG SAST for returning higher-level conclusions and relevant security findings. To help you get started, we have added several tutorials on working with custom policies.

    • We’ve added a troubleshooting guide that you may find helpful if you ever run into any issues working with NG SAST.