Back to all posts

Shifting Security Left with Trunk Check

By Matt MathesonSeptember 15, 2023
Code Quality

Think about this: After two weeks of intense coding, just when you're ready to launch your new feature, a security check throws everything off balance. The culprit? A vulnerability was found in a library, potentially sending two weeks of effort down the drain. This not only dampens the developer's spirit but also saps company resources. Regrettably, it's not uncommon. Security tests often come in at the last moment, rather than being woven into the development fabric.

The solution? Introducing security earlier in the development cycle, or "shifting security left." Trunk Check for Security embodies this concept, embedding security checks right from the get-go. When vulnerabilities are identified and fixed in the early stages of development, it saves both time and money, leading to a better coding experience.

Thou shalt not depend on me

A 2017 study by Northeastern University aptly named "Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web" revealed 37% of 133,000 websites used a JavaScript library with known vulnerabilities. More recently, 84% of 1,703 reviewed codebases had at least one such vulnerability.

Open-source libraries have vulnerabilities. The Equifax data breach demonstrates how vulnerable this system is. Programming mistakes, complexity, lack of security knowledge, and insufficient review or maintenance–the problems are common, not just in open source–can lead to security issues. That’s before we factor in intentional malicious activity or supply chain issues with dependencies of dependencies.

It is difficult for maintainers to produce high-quality libraries without vulnerabilities. So, developers need security testing within their workflow to find these issues.

But there are two problems wrapped in one here:

  1. New vulnerabilities appear daily. In the last 30 days there were 2,351 new vulnerabilities added to the CVE security vulnerability database. About 80 per day.

  2. Old vulnerabilities are patched, but codebases don’t update to the newest version. Say you pulled Lodash 4.17.20 into your project 3 years ago. It’s exactly a kind of set-it-and-forget-it library that you’ll use throughout your code. But two years ago it had a critical vulnerability fix. If your package.json still has this version of Lodash, your code is vulnerable.

Shifting security left helps developers with both of these problems, which, in turn, helps companies.

Shifting left for developers

When security is considered at every step of the development process rather than as an afterthought, it fundamentally changes the way developers work and the quality of the code they produce.

Firstly, by avoiding the time sink problem above. By catching and addressing security issues early, developers can avoid having to scrap or heavily revise their work after significant time and effort have already been invested. Knowing immediately what vulnerabilities are in your code versus waiting until you open a pull request is obviously preferable. This gives developers their time back and increases development speed.

But there are other reasons to move security earlier in the workflow:

  • Managing Unknowns: The earlier a security vulnerability is discovered, the fewer unknowns the developer has to contend with in fixing it. Knowing that potential security issues are being checked in real-time and addressed from the start, developers can work with greater confidence and peace of mind. This can improve their focus, productivity, and overall quality of their work.

  • Reducing Manual Checking: When security checking happens at the end of the cycle, developers have to do their own research to find and fix vulnerabilities earlier if they want to speed up the process. By shifting left, you automate the work of finding and fixing vulnerabilities. This not only saves time but reduces the risk of human error.

  • Better Security Mindset: Developers can cultivate a better security mindset by consistently considering security during the development process. This can help them write more secure code, reducing the number of vulnerabilities that need to be caught and fixed.

Ultimately, these benefits lead to higher-quality, more secure code. This improves the finished product and makes creating it more efficient, enjoyable, and rewarding for developers. 

Trunk Check for Security is all about this left shift. It integrates with the developer workflow, showing results in your IDE and the command line. You can also integrate Trunk Check for Security as a Git hook so when developers try to push their code, any discovered security issues will mean they can’t push until the check is clean.

Security isn’t about just-in-time reporting. There will be corners of your codebase that have been untouched for months, maybe years. In this scenario, Trunk Check for Security can run a scheduled analysis on all your repos to find current vulnerabilities. Trunk will ping you with a Slack alert for new security issues that are found.

Best of all, developers can do all of this locally. Whereas other security plugins use PRs as the primary mechanism for scanning for security issues, Trunk Check for Security can be used at any point.

Shifting left for companies

Shifting security left doesn't only streamline the work of individual developers. It also brings substantial benefits to the companies they work for. 

By detecting security vulnerabilities early in the development process, companies can avoid the considerable costs associated with fixing issues in later stages of development or post-deployment. Shifting left thus leads to a more efficient use of resources and potentially significant cost savings. The time and effort saved by early vulnerability detection can also be redirected towards other tasks, speeding up the development process and helping the company ship more quickly and securely.

Better security overall also leads to reduced risk and improved compliance. The sooner vulnerabilities are detected and addressed, the less likely they are to be exploited by attackers. This reduces the risk of costly security breaches, protecting the company's reputation. With security issues addressed proactively, companies are better equipped to comply with regulatory standards and avoid penalties associated with non-compliance.

With Trunk Check for Security, companies better understand the security posture of their entire codebase. This knowledge can guide strategic decisions, helping companies prioritize their efforts effectively. Having both real-time vulnerability checking and continuous monitoring helps ensure that no security issue goes unnoticed.

Secure as a starting point

Security in software development is often seen as a last hurdle or an afterthought. At Trunk, we’re shifting this narrative. We aim to integrate security directly into the development process, turning it from a reactive step to a proactive foundation.

For developers, this equates to real-time handling of vulnerabilities, mitigating delays, and improving code quality. For companies, this proactive stance enhances software reliability, reduces risks and costs associated with security breaches, and fosters compliance with regulatory standards. 

As Trunk Check for Security integrates seamlessly with your workflow, shifting left becomes less of a challenge and more of an empowerment. By making security the starting point, we’re not just addressing vulnerabilities but building a stronger foundation for all software development. The shift left isn’t just about detecting security issues; it’s about building security into one of your core practices.

To start securing your code, all you need to do is set up Trunk Check and make sure it is updated to the latest version. If you’re new to Trunk, you can try it for free or request a demo to get started.

Try it yourself or
request a demo

Get started for free

Try it yourself or
Request a Demo

Free for first 5 users