Send build rule information to Jira: The check-analysis command now accepts the
--create-jira-issuesflag. When using this flag, ShiftLeft will send findings that fail your build rules to Jira, where Jira will create issues for those findings.
Org Owner role: We've added the org owner role to ShiftLeft. The org owner is presumed to be the person creating the ShiftLeft org, but you can change this if desired. Org owners are automatically assigned super user privileges.
Highlights: RBAC and C# updates
C#: We’re pleased to announce that our C# analysis engine now supports the use of lambda and local functions.
RBAC: We’ve added detailed tables to our RBAC documentation that clarify the specific rights and privileges granted to each of the roles available.
Highlights: C# 9/.NET 5, access tokens for CI integrations
C# 9/.NET 5: We’re pleased to announce that we now support apps written in C# 9 and the .NET 5 runtime environment.
CI Access Tokens: We’ve added the ability to create access tokens with the role of CI for use with your ShiftLeft integrations, such as Jenkins, CircleCI, etc. Super admins can create these tokens, which belong to the organization (not the super admin), and invalidate and regenerate the tokens as needed.
Highlights: role-based access control (RBAC), updated C# support
Role-Based Access Control (RBAC): ShiftLeft now features role-based access control, which allows you to assign permissions to users based on their role within an organization or a team, instead of individually. This approach is more straightforward and less error-prone.
C# Applications Support: We have updated ShiftLeft to support more recent versions of the .NET Framework and .NET Core in your runtime and build environments.
Highlights: new Python deep analyzer in NG SAST and addition of the ShiftLeft plugin for Jira to the Atlassian Marketplace
Python deep analyzer for NG SAST: We’ve updated NG SAST to use the CPG deep analyzer to analyze applications written in Python. See our blog announcement for under-the-hood information, and review our documentation on scanning your Python applications.
ShiftLeft Plugin for Jira: Our plugin, which allows you to use Jira to help manage vulnerabilities identified, is now available on the Atlassian Marketplace.
Highlights: ShiftLeft CORE (including Intelligent SCA and developer education tools), added support for apps using Vue.js, and GitLab tutorial updates
ShiftLeft CORE: You’ll notice a bit of new terminology on our website, specifically ShiftLeft CORE, which is our code security platform leveraging our Code Property Graph to offer you next-generation SAST, secrets detection, insights, Intelligent SCA, and developer education! Read more about each aspect of our platform on our blog.
Intelligent SCA: We’ve released Intelligent SCA, which allows you to identify vulnerabilities introduced into your application via third-party libraries, SDKs, APIs, and so on, then prioritize them based on whether they can be easily exploited or not.
Developer Education: We are pleased to announce two new learning resources. The first is ShiftLeft Learn, where you can go to learn about OWASP vulnerabilities and how you can go about mitigating them using NG SAST. In addition to free learning modules, you’ll find tips and tricks for managing your AppSec process, an invitation to our Discord community, and webinars (both recorded and live) focusing on advanced concepts.
The second is a built-in Security Training feature, where you can access a training module. Whenever you open up the Vulnerability Detail panel, you’ll see a link that takes you to a tutorial that’s relevant to the finding (for example, the command injection vulnerability leads you to a module on what a command injection is and how you might handle this type of vulnerability).
GitLab Tutorial Update: We’ve updated and simplified the configuration files required to integrate NG SAST into your GitLab integration.
Highlights: Updates to the ShiftLeft CLI tool, new documentation, and security tutorials fresh on the blog
We’ve added two commands to the ShiftLeft CLI tool:
sl subscriptioncommand allows you to return information about your ShiftLeft subscriptions, including when they’re valid, as well as what your current usage and maximum usage levels are
sl count-linescommand command allows you to count the number of lines in a directory, which helps you determine if the workstation on which you’re running NG SAST has sufficient resources to support the scan
We’ve made a series of updates to our Documentation that you may find helpful:
Policies are powerful tools that allow you to describe the data and methods in your application, as well as how they relate to each other. This information enhances the code property graph generated, which is helpful to NG SAST for returning higher-level conclusions and relevant security findings. To help you get started, we have added several tutorials on working with custom policies.
We’ve added a troubleshooting guide that you may find helpful if you ever run into any issues working with NG SAST.