Blog

Elevating Code Security: The Shift-Left Approach with Vorpal by Checkmarx

3 min.

December 2, 2024

Introducing Vorpal by Checkmarx

To educate and empower developers in writing secure code, Checkmarx has launched Vorpal, a developer-first tool helps with following security best coding practices, identifying errors, and guiding you on how to correct them early. Addressing security issues early on in development by shifting left has been crucial for some time but today, it must address both code written by developers and those being rapidly generated by AI tools.

Detecting issues early improves code quality and reduces the need for time-consuming security reviews, which becomes a growing burden as it moves through the stages of development unaddressed. By concentrating on security best practices during the coding phase, developers can produce more secure code, resulting in fewer but more precise results at later stages. This proactive approach streamlines the development process and enhances overall efficiency.

Understanding the difference between SAST and Vorpal

While both tools examine static code, Vorpal is different than SAST. It represents a significantly different approach. Vorpal detects violations of best security practices, such as ‘Unsafe SQL Generation,’ which, while not immediately exploitable, can lead to significant risks like SQL injection if left unaddressed.

Optimal Scanning Timing

Vorpal focuses on analyzing individual files and short code snippets, providing actionable insights to developers. Identifying thousands of potential issues takes time to evaluate, making it difficult for R&D teams to address every issue promptly. For deeper and more thorough analysis, SAST tools play a critical role. Instead, Vorpal narrows its focus by examining the specific lines of code that developers are currently working on, allowing for fast remediation and enabling developers to fix issues while there’s working on a section of code.

It’s important to remember that a developer is not a security expert. While developers strive to write secure code, their focus is typically on the immediate task at hand, so security concerns like SQL Injection may not always extend beyond the specific code they are working on. Developers also work in a fast-paced environment with many time constraints, so any assistance in writing more secure and efficient code is invaluable.

By keeping the scope narrow, Vorpal ensures that security best coding practices issues are actionable and manageable, helping to highlight security concerns early, before merging to the main branch or while the code is still in active development. This targeted approach ensures that security issues are addressed at the right moment in the development process.

Empowering Developers with Actionable Insights

Vorpal provides developers with clear, actionable feedback on detected issues, complete with detailed descriptions and remediation advice. This immediate guidance enables developers to quickly enhance the security of their codebases, fostering a culture of security awareness and responsibility within development teams.

By integrating Vorpal into their workflows, developers can not only write better code but also contribute to a more secure software development ecosystem. Embracing this approach is essential for building robust applications that stand strong against ever-evolving security threats.

Who can benefit from it?

Vorpal is freely available worldwide to all developers as a GitHub Action!

Wondering how to get started? Here’s how:

Security Best Practices: Vorpal flags potential security issues with actionable feedback to help improve your code.

Fail the Pull Request (PR): Choose whether to fail the pull request when issues are detected, giving you full control over your process.

Get started today and take your code security to the next level with Vorpal!

Checkmarx users can take this to the next level and, using the same engine under the hood, get real-time feedback in their IDE for human or AI-written code using the AI Secure Coding Assistant (ASCA). Learn more about real time in-IDE scanning here.