UNPKG

ctrlshiftleft

Version:

AI-powered toolkit for embedding QA and security testing into development workflows

github.com/johngaspar/ctrlshiftleft

johngaspar/ctrlshiftleft

166 lines (125 loc) 5.01 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# ctrl.shift.left Integration Guide This guide explains how the ctrl.shift.left toolkit integrates into development workflows to embed QA and security testing directly into the early stages of development. ## Integration Overview The ctrl.shift.left toolkit is designed to be embedded at multiple points in the development workflow: 1. **Local Development**: CLI and IDE integration for real-time feedback 2. **Code Review**: Pre-commit hooks and automated PR checks 3. **CI/CD Pipeline**: Automated scanning, testing, and reporting 4. **Documentation**: Auto-generated security and QA documentation ## Development Workflow Integration ### Local Development Developers can integrate ctrl.shift.left directly into their coding workflow: ```bash # Start a watch process for security scanning ./bin/ctrlshiftleft watch src --type security # Generate tests before implementing a feature (TDD approach) ./bin/ctrlshiftleft gen src/components/NewFeature.tsx # Run a complete scan after implementation ./bin/ctrlshiftleft secure src/components/NewFeature.tsx ``` ### IDE Integration Our VS Code extension (in development) provides direct access to ctrl.shift.left capabilities: 1. Security issues highlighted directly in the editor 2. Quick actions to generate tests and checklists 3. Status bar indicator showing security status 4. One-click remediation suggestions Until the full extension is ready, you can use the standalone tools and tasks integration. ### Recommended VS Code Tasks Add these tasks to your `.vscode/tasks.json`: ```json { "version": "2.0.0", "tasks": [ { "label": "Analyze Current File", "type": "shell", "command": "${workspaceFolder}/bin/ctrlshiftleft analyze ${file}", "problemMatcher": [] }, { "label": "Generate Tests for Current File", "type": "shell", "command": "${workspaceFolder}/bin/ctrlshiftleft gen ${file}", "problemMatcher": [] }, { "label": "Generate Checklist for Current File", "type": "shell", "command": "${workspaceFolder}/bin/ctrlshiftleft checklist ${file}", "problemMatcher": [] }, { "label": "Full Scan of Current File", "type": "shell", "command": "${workspaceFolder}/bin/ctrlshiftleft secure ${file}", "problemMatcher": [] } ] } ``` ## Code Review Integration ### Pre-commit Hooks Add ctrl.shift.left to your pre-commit hooks using Husky: ```json // package.json { "husky": { "hooks": { "pre-commit": "./bin/ctrlshiftleft analyze src --staged-only" } } } ``` ### Pull Request Automation The GitHub workflow automatically runs on pull requests and: 1. Scans changed files for security issues 2. Generates tests for new components 3. Creates checklists for review 4. Comments on the PR with findings ## CI/CD Pipeline Integration Our GitHub Actions workflow (`security-qa.yml`) provides: 1. **Security Scanning**: Automated vulnerability detection 2. **Test Generation & Execution**: Creating and running tests 3. **Checklist Creation**: Documentation of key areas for review 4. **Artifact Collection**: Preserving reports for audit purposes ### Example Jenkins Integration ```groovy pipeline { agent any stages { stage('Security & QA') { steps { sh './bin/ctrlshiftleft analyze src' sh './bin/ctrlshiftleft gen src' sh './bin/ctrlshiftleft checklist src' } post { always { archiveArtifacts artifacts: 'vscode-ext-test/*.md', allowEmptyArchive: true } } } } } ``` ## Documentation Integration The toolkit auto-generates documentation that can be integrated with your project: 1. **Security Reports**: Detailed analysis of potential vulnerabilities 2. **QA Checklists**: Comprehensive quality reviews 3. **Test Documentation**: Generated test cases and their purposes This documentation can be included in code reviews, shared with security teams, and used for compliance purposes. ## Real-world Example: PaymentForm We've demonstrated the toolkit's capabilities by securing a payment form component: 1. **Initial Analysis**: Security scanning found critical issues 2. **Remediation**: Implemented fixes following best practices 3. **Verification**: Generated tests confirmed the improvements 4. **Documentation**: Created comprehensive reports for review 5. **CI Integration**: Automated ongoing verification This end-to-end example shows how ctrl.shift.left helps "shift left" security and QA concerns to earlier stages of development, significantly reducing risks and costs. ## Next Steps To further integrate ctrl.shift.left into your development workflow: 1. Complete the VS Code extension implementation for seamless IDE integration 2. Enhance the CI/CD pipeline integration with more detailed reporting 3. Create team-specific security and QA rules 4. Develop custom checklist templates for your application domain 5. Train developers on security best practices identified by the toolkit