As software development evolves, so must the approach to security. Application security is essential throughout the development cycle, yet many organizations continue to rely on traditional pipelines that identify vulnerabilities, problematic dependencies, and license violations late in the process. This approach introduces delays, increases risks, and often forces developers to address security issues only after code has been pushed.

In this article, we explore how shifting security left empowers developers to catch and resolve issues early in the coding process by using tools integrated directly into their development environment.

The problem with traditional security pipelines

Traditional security pipelines usually scan code for vulnerabilities after the code has been pushed. While necessary, this presents several issues:

• Time delays: Security pipelines add significant time to the build process. Developers must wait for these scans to finish before addressing potential issues.
• Late discovery of issues: When vulnerabilities, dependencies, or license violations are discovered, it results in delays and rework.
• Security efforts: Security tools and teams are often disconnected from the development process. Developers need to check security dashboards to understand the security issues in their code.
• Maintenance costs: Security pipelines require frequent updates, adding complexity and increasing operational costs.

Shift left—bringing security closer to developers

Shift left is about moving security earlier in the software development lifecycle, empowering developers to address security concerns directly in their workflow. Rather than relying solely on downstream security checks, developers can integrate security into their environment as they write code, catching vulnerabilities, problematic dependencies, and license violations before code reaches production or even the pipeline.:

Key benefits of this approach include:

• Faster issue resolution: Developers can identify and fix security issues in real-time as they code, reducing delays.
• Increased developer awareness: Security tools are integrated into development environments, keeping developers aware of potential vulnerabilities.
• Lower costs and risks: The earlier a vulnerability is detected, the less costly it is to fix, both in terms of development time and exposure.

A real-world example of shift left in action

In a recent, internal SLB European hackathon, we tackled the challenge of detecting security vulnerabilities in code dependencies earlier in the development cycle. Our team created a tool that integrates directly into developers' coding environments, enabling them to identify and address security issues as they write code, without having to rely on post-development pipeline scans or external systems.:

The tool, integrated as a Visual Studio Code (VSCode) extension, enables real-time detection of vulnerabilities in dependencies. It supports multiple programming ecosystems and gives developers immediate insights into potential threats, so they can resolve issues before they escalate. This developer-first approach to security was recognized with a first-place award for its impact on improving both security and development efficiency.

We selected VSCode for its popularity, flexibility, and ease of integration. Its extension ecosystem means we can seamlessly embed security checks like static application security testing (SAST) and common vulnerabilities and exposure (CVE) scanning into the coding workflow, ensuring a smooth, efficient developer experience without compromising performance.

Beyond vulnerabilities: expanding developer security tools

The plan is to move the security checks from the existing pipelines to the code editor. This includes:

Security vulnerabilities in code (SAST)

• Pipeline tool: SonarQube, Semgrep, Gitleaks, etc.
• Code editor: SonarLint and ESLint for real-time static analysis while coding.

Dependency vulnerabilities (CVE Scans)

• Pipeline Tool: Trivy, Snyk, Mend, etc.
• Code editor: We developed our CVE scanning extensions.

Code quality and bug detection

• Pipeline tool: SonarQube, ESLint, etc.
• Code editor: Extensions like SonarLint or ESLint can detect code smells while coding.

License violations (open-source compliance)

• Pipeline tool: Snyk, Mend, etc.
• Code editor: We’re investigating how we can move these checks into the code editor.