--- id: wiki-2026-0508-시프트-레프트-shift-left title: 시프트 레프트 (Shift-Left) category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Shift Left, Shift-Left Testing, Shift-Left Security] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [devops, testing, security, ci-cd] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: agnostic framework: ci-cd --- # 시프트 레프트 (Shift-Left) ## 매 한 줄 > **"매 결함은 매 발견 시점이 빠를수록 매 비용이 기하급수적으로 감소한다"**. Larry Smith가 2001년 매 명명. 매 testing / security / compliance 를 매 SDLC 의 좌측 (design / coding) 으로 매 이동. 매 2026 modern form은 매 IDE 안에서 매 SAST + AI assisted review (Claude Opus 4.7, GitHub Copilot) 가 매 commit 전 매 결함 탐지. ## 매 핵심 ### 매 Cost curve (Boehm / NIST) - 매 design phase: 1x - 매 implementation: 5x - 매 testing: 10x - 매 production: 100x+ ### 매 적용 영역 - **Testing**: TDD / unit test in pre-commit hook. - **Security**: SAST (Semgrep, CodeQL), SCA (Dependabot, Snyk), secret scanning (gitleaks). - **Compliance**: policy as code (OPA / Conftest). - **Infrastructure**: tfsec, checkov. - **Quality**: lint / type check at IDE save. ### 매 응용 1. Pre-commit hooks 으로 매 30 sec feedback. 2. PR-blocking CI 로 매 main 매 clean. 3. AI review (Claude Code / Copilot) 으로 매 design phase 매 결함 탐지. ## 💻 패턴 ### Pre-commit hook config ```yaml # .pre-commit-config.yaml repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v5.0.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer - repo: https://github.com/gitleaks/gitleaks rev: v8.21.0 hooks: [{ id: gitleaks }] - repo: https://github.com/returntocorp/semgrep rev: v1.95.0 hooks: [{ id: semgrep, args: [--config=auto, --error] }] - repo: local hooks: - id: pytest-changed name: pytest-changed entry: pytest --testmon language: system pass_filenames: false ``` ### GitHub Actions: shift-left CI ```yaml on: [pull_request] jobs: shift-left: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: { fetch-depth: 0 } - uses: github/codeql-action/init@v3 with: { languages: python } - uses: github/codeql-action/analyze@v3 - uses: aquasecurity/tfsec-action@v1 - run: npx snyk test --severity-threshold=high - run: gitleaks detect --source . --redact ``` ### Policy as code (OPA / Rego) ```rego package terraform.s3 deny[msg] { resource := input.resource_changes[_] resource.type == "aws_s3_bucket" not resource.change.after.server_side_encryption_configuration msg := sprintf("S3 bucket %v: encryption not configured", [resource.name]) } ``` ### IDE-time SAST (VS Code Semgrep) ```json { "semgrep.scan.configuration": ["auto", "p/owasp-top-ten"], "semgrep.scan.onSave": true, "editor.codeActionsOnSave": { "source.fixAll": "explicit" } } ``` ### AI design review (Claude Opus 4.7) ```bash claude review --pre-commit \ --rules "OWASP Top 10, race conditions, error handling" \ $(git diff --cached --name-only) ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | 매 secret leak 매 방지 | gitleaks pre-commit + GitHub secret scanning | | 매 dependency vulnerability | Dependabot + Snyk in PR | | 매 IaC misconfiguration | tfsec + OPA | | 매 logic bug | TDD + property-based tests | | 매 design flaw | AI-assisted review (Claude / Copilot) | **기본값**: 매 pre-commit (lint + secret) + PR-CI (SAST + SCA + tests). ## 🔗 Graph - 부모: [[CI/CD Pipeline & IDE Security Integration|DevSecOps]] - 응용: [[SAST]] · [[SCA_Fundamentals|SCA]] - Adjacent: [[TDD]] · [[Supply Chain Security]] ## 🤖 LLM 활용 **언제**: 매 PR review 의 first-pass / 매 security policy generation / 매 test case 생성. **언제 X**: 매 final security signoff — 매 human security engineer 필수. ## ❌ 안티패턴 - **Shift-left without budget**: 매 dev 에 매 책임만 떠넘기기. - **Tool spam**: 매 30 가지 scanner — 매 noise 로 매 ignored. - **Block on everything**: 매 false positive 로 매 trust 상실. - **No baseline**: 매 legacy code 의 매 모든 finding block. ## 🧪 검증 / 중복 - Verified (Smith 2001 *Shift-Left Testing*, Forrester *State of Application Security 2025*, OWASP DevSecOps Guideline). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — 매 pre-commit, OPA, AI review 패턴 추가 |