2022

1 August

Highlights: Go 1.18, updates to build rules v2, continuous SCA, dashboard updates

What's new

  • Go: we have updated ShiftLeft Core to support the analysis of applications written using Go 1.18.

  • Build rules v2: our build rules v2 feature now supports the use of OWASP Top 10 - 2021 tags and severity ratings based on CVSS 3.1 scores:

    • Low: 0.1-3.9
    • Medium: 4.0-6.9
    • High: 7.0-8.9
    • Critical: 9.0-10.0
  • Continuous SCA: the continuous SCA feature alerts you regarding new OSS vulnerabilities after you've scanned your application. ShiftLeft monitors for the discovery and inclusion of new issues; if there are, you'll see a notification indicating such under the dashboard's OSS Vulnerabilities tab. You should then rescan your application to populate the results to the dashboard.

  • Dashboard updates: we've updated the ShiftLeft dashboard with the following changes:

    • The applications overview page, which lists all of the applications associated with your org, now features graphical representations of the findings by type and severity
    • The new Organizations page allows you to see your user profile information and (if you're an admin) manage your org users and teams
    • The findings listed in the dashboard now support the use of CVSS 3.1 and OWASP Top 10 - 2021 tags.

12 July

Highlights: C# improvements, Kotlin improvements, dashboard updates, and updates to the VS Code extension.

What's new

  • Analyzing C# applications: we have updated csharp2cpg so that you are no longer required to build your C# application before submitting it to ShiftLeft for analysis, though we still recommend doing so.

  • Analyzing Kotlin applications: We have added the following flags, which you can use during the analysis of Kotlin applications:

    • --classpath <path>: adds a path to the classpath used by the compiler during analyses;
    • --gradle-project-name <name>: the Gradle configuration name to be used when downloading dependencies;
    • --gradle-configuration-name <name>: the Gradle project name to be used when downloading dependencies;
    • --ignore-path <path>: the path to add to the list of directories that ShiftLeft will ignore during analyses.
  • Dashboard updates: we have updated the dashboard with the following improvements:

    • The application summary view now includes additional visual displays (e.g., additional graphs alongside numeric indicators) to streamline the presentation of your data.;
    • The dashboard overview now features two additional tabs:
      • App Groups allow you to view and manage your app groups;
      • Teams enable you to manage the teams you've created, as well as the apps and users assigned to those teams.
    • Filtering by sources and sinks: When reviewing the data flow for individual findings, you can now select a specific source and sink to filter by; this allows you to triage vulnerabilities faster and determine which findings your code fixes would affect.
  • Updated VS Code extension: We've updated the VS Code extension, making UI updates and adding several options to the Command Palette.

6 June

Highlights: custom reports, API updates, JavaScript optimization, ShiftLeft CORE Extension for VS Code, and policy updates

What's new

  • Custom reports when running sl check-analysis: We've added support for templates to sl check-analysis, which allows you better control how the build rules reports this command generates appear.

  • API updates: We have added a series of endpoints to the ShiftLeft API, including:

    • A series of findings-related endpoints that allow users to:
      • Check a scan against a set of rules (using another scan as a reference)
      • Set the status of one or more findings
      • Set the assignee for a finding
      • Get scan information from a specific branch
    • An endpoint that returns a PCI-DSS report for a particular scan
  • JavaScript optimization: We've added a feature that allows JavaScript users to optimize project dependencies during transpilation (i.e., reduce dependencies to the minimal set that's required to transpile the JS/TS code), which may result in faster execution times.

  • ShiftLeft CORE Extension for VS Code: We are pleased to announce that our extension for VS Code is now available in the Visual Studio Marketplace. This extension allows you to run a pre-commit check to identify secrets in your code and analyze your application for security vulnerabilities, all within your IDE.

  • Policies: In addition to the existing default policies, we now offer one that includes the default policy, sensitive data dictionary, and best practice guidelines. With this policy, ShiftLeft will show findings that are violations of best practices violations and attacker-reachable findings.

1 May

Highlights: VS Code extension, a new ability for team admins to add apps, docs for SAML/SSO integration

What's new

  • ShiftLeft CORE Extension for VS Code: We are pleased to announce that our extension for VS Code is currently in beta. This extension allows you to run a pre-commit check to identify secrets in your code and analyze your application for security vulnerabilities, all within your IDE. If you're interested in this extension, please contact ShiftLeft.

  • Team admin rights: We have updated the rights assigned to those who are team admins. Team admins can now add applications to the teams to which they are assigned; they can also move apps among their teams.

  • SAML and SSO: If you're looking into configuring a SAML 2.0 integration so that users can log into ShiftLeft with single-sign on, we've documented the end-to-end process.

Reminder: ShiftLeft's domain name change

By 1 August 2022, we will have completed our migration from https://www.shiftleft.io to https://app.shiftleft.io. Please ensure that your scripts, SAML/SSO configuration, and other ShiftLeft integrations are using the new domain.

1 March

Highlights: Default branches, dependencies reports, and improved scan details

What's new

1 February

Highlights: SCA for Python and Go, updated build rules, additional Java support, refreshed API documentation, new access token types, Dashboard updates, and interactive remediation

What's new

  • Intelligent SCA for Python and Go: we are pleased to announce full SCA support for Python applications, as well as beta support for SCA for Go packages.

  • Build Rules v2: we have made many under-the-hood changes designed to improve the performance of our build rules functionality. However, you'll notice two things:

    • Build rules can now be used to fail builds with open-source vulnerabilities
    • You'll always see a report of the results printed whenever you execute build rules (previously, you had to pass in a --report flag when running sl check-analysis to view the report).
  • Java: we've expanded our support of Java applications to include those written using Java 14, 15, and 17.

  • API documentation: we've revamped our API documentation, expanding on the endpoint descriptions, adding sample values, and linking to Postman Collections that you can use to test the endpoints.

  • Service account and CI tokens: ShiftLeft now supports the creation of Service Account tokens, which can then, in turn, be used to create CI tokens. The CI tokens can then be used for automated pipelines in which ShiftLeft runs for additional security, since they do not grant the bearer any extraneous permissions.

  • Scan details: we've updated the dashboard to display extended metadata regarding the scan, which is useful for debugging and troubleshooting issues that may arise during the code scanning process.

  • Updated vulnerability descriptions: we've improved the vulnerability descriptions we display to include a detailed explanation of the root cause, show developers what not to do, and why the code as-is leads to a vulnerability. The new descriptions also include actionable steps that help developers implement best practices and language-specific code samples that will eliminate the issue.

  • General dashboard updates: we've released several improvements to the dashboard, including:

    • The ability to switch the specific branch for the application whose results you're viewing
    • Additional sorting parameters (e.g., scan time)
    • Quick links that make it easy to get in touch with our support team, talk to our sales representatives, and upgrade your ShiftLeft subscriptions
  • Interactive remediation: the interactive remediation feature allows developers to declare findings and patterns that NG SAST should account for when analyzing code, allowing them to customize the tool as needed.