bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
95cd8bb891bf94ea5dd50e4a490ee17d5707ecf2
2nd/10_Wiki/Topics/Architecture/시프트_레프트(Shift-Left).md
T
koriweb d8a80f6272 chore(wiki): dangling 링크 canonical 정규화 (768파일/1200건) 
이름만 다른(표기 변형) [[위키링크]]를 대상 문서의 canonical 제목으로 치환해
끊겼던 1,200개 링크를 연결. 제목/파일명 정규화 일치만 적용하고 별칭 매칭은
과병합 위험으로 제외(애매성 가드). 원본은 _link_reconcile_backup/ 에 백업.
도구: Datacollect/scripts/link_reconcile_apply.mjs

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 12:24:15 +09:00

4.6 KiB
Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack
id title category status canonical_id aliases duplicate_of source_trust_level confidence_score verification_status tags raw_sources last_reinforced github_commit tech_stack
wiki-2026-0508-시프트-레프트-shift-left 시프트 레프트 (Shift-Left) 10_Wiki/Topics verified self
Shift Left
Shift-Left Testing
Shift-Left Security
none A 0.9 applied
devops
testing
security
ci-cd
2026-05-10 pending
language framework
agnostic ci-cd

시프트 레프트 (Shift-Left)

매 한 줄

"매 결함은 매 발견 시점이 빠를수록 매 비용이 기하급수적으로 감소한다". Larry Smith가 2001년 매 명명. 매 testing / security / compliance 를 매 SDLC 의 좌측 (design / coding) 으로 매 이동. 매 2026 modern form은 매 IDE 안에서 매 SAST + AI assisted review (Claude Opus 4.7, GitHub Copilot) 가 매 commit 전 매 결함 탐지.

매 핵심

매 Cost curve (Boehm / NIST)

  • 매 design phase: 1x
  • 매 implementation: 5x
  • 매 testing: 10x
  • 매 production: 100x+

매 적용 영역

  • Testing: TDD / unit test in pre-commit hook.
  • Security: SAST (Semgrep, CodeQL), SCA (Dependabot, Snyk), secret scanning (gitleaks).
  • Compliance: policy as code (OPA / Conftest).
  • Infrastructure: tfsec, checkov.
  • Quality: lint / type check at IDE save.

매 응용

  1. Pre-commit hooks 으로 매 30 sec feedback.
  2. PR-blocking CI 로 매 main 매 clean.
  3. AI review (Claude Code / Copilot) 으로 매 design phase 매 결함 탐지.

💻 패턴

Pre-commit hook config

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.21.0
    hooks: [{ id: gitleaks }]
  - repo: https://github.com/returntocorp/semgrep
    rev: v1.95.0
    hooks: [{ id: semgrep, args: [--config=auto, --error] }]
  - repo: local
    hooks:
      - id: pytest-changed
        name: pytest-changed
        entry: pytest --testmon
        language: system
        pass_filenames: false

GitHub Actions: shift-left CI

on: [pull_request]
jobs:
  shift-left:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }
      - uses: github/codeql-action/init@v3
        with: { languages: python }
      - uses: github/codeql-action/analyze@v3
      - uses: aquasecurity/tfsec-action@v1
      - run: npx snyk test --severity-threshold=high
      - run: gitleaks detect --source . --redact

Policy as code (OPA / Rego)

package terraform.s3

deny[msg] {
    resource := input.resource_changes[_]
    resource.type == "aws_s3_bucket"
    not resource.change.after.server_side_encryption_configuration
    msg := sprintf("S3 bucket %v: encryption not configured", [resource.name])
}

IDE-time SAST (VS Code Semgrep)

{
  "semgrep.scan.configuration": ["auto", "p/owasp-top-ten"],
  "semgrep.scan.onSave": true,
  "editor.codeActionsOnSave": { "source.fixAll": "explicit" }
}

AI design review (Claude Opus 4.7)

claude review --pre-commit \
  --rules "OWASP Top 10, race conditions, error handling" \
  $(git diff --cached --name-only)

매 결정 기준

상황 Approach
매 secret leak 매 방지 gitleaks pre-commit + GitHub secret scanning
매 dependency vulnerability Dependabot + Snyk in PR
매 IaC misconfiguration tfsec + OPA
매 logic bug TDD + property-based tests
매 design flaw AI-assisted review (Claude / Copilot)

기본값: 매 pre-commit (lint + secret) + PR-CI (SAST + SCA + tests).

🔗 Graph

🤖 LLM 활용

언제: 매 PR review 의 first-pass / 매 security policy generation / 매 test case 생성. 언제 X: 매 final security signoff — 매 human security engineer 필수.

안티패턴

  • Shift-left without budget: 매 dev 에 매 책임만 떠넘기기.
  • Tool spam: 매 30 가지 scanner — 매 noise 로 매 ignored.
  • Block on everything: 매 false positive 로 매 trust 상실.
  • No baseline: 매 legacy code 의 매 모든 finding block.

🧪 검증 / 중복

  • Verified (Smith 2001 Shift-Left Testing, Forrester State of Application Security 2025, OWASP DevSecOps Guideline).
  • 신뢰도 A.

🕓 Changelog

날짜 변경
2026-05-08 Phase 1
2026-05-10 Manual cleanup — 매 pre-commit, OPA, AI review 패턴 추가
Reference in New Issue View Git Blame Copy Permalink