CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Shift-Left Testing

devops Intermediate

Also Known As

shift left test earlier dev testing SAST

TL;DR

Moving testing earlier in the development process — catching bugs at the developer's machine and PR stage rather than in staging or production.

Explanation

Traditional testing pyramid deferred integration and security testing to late stages. Shift-left brings it forward: pre-commit hooks run linting and unit tests locally, PRs trigger full CI (unit, integration, static analysis, SAST), feature branches deploy to ephemeral environments, and security scanning runs before merge. Cost of fixing a bug: $1 at commit time, $10 in PR review, $100 in staging, $1000 in production. Shift-left tools: pre-commit hooks, GitHub Actions, PHPStan, SAST scanners, contract tests.

Common Misconception

Shift-left means only unit tests run early — shift-left applies to all types of testing: security (SAST), accessibility (axe-core), performance (Lighthouse CI), and contract tests can all run at PR time.

Why It Matters

A security vulnerability caught by SAST in a PR takes 10 minutes to fix — the same vulnerability discovered in production after 6 months of exploitation costs millions and regulatory fines.

Common Mistakes

  • Slow pre-commit hooks — hooks over 10 seconds get bypassed with --no-verify.
  • Only linting in pre-commit — include fast unit tests for immediate feedback.
  • No ephemeral PR environments — developers cannot test their changes in isolation.
  • Security scanning only before release — SAST should run on every PR.

Code Examples

✗ Vulnerable 
// All testing deferred to staging:
// Developer commits → pushed to main → deployed to staging
// QA tests manually → finds bug after 3 days
// Developer context-switched to other work
// Fixing: 1 hour of relearning + 30 min fix
// Cost: 1.5 hours + delayed release
✓ Fixed 
// Shift-left: caught immediately:
// pre-commit: phpcs + phpstan (10 seconds)
// PR: full CI in 5 minutes:
//   unit tests, integration tests
//   static analysis at level 8
//   SAST scan (SonarQube)
//   Lighthouse CI for performance
//   Ephemeral environment deployed
// Developer still has full context
// Fixing: 10 minutes
Added 16 Mar 2026
Edited 22 Mar 2026
Views 23

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 6 Google 2 Unknown AI 2 Ahrefs 1
Also referenced
Test-Driven Development (TDD) 29 Continuous Integration (CI) 28 GitHub Actions for PHP 27 Git Hooks 23
How they use it
crawler 18 crawler_json 1
Related categories
testing 2.5k devops 1k git 415
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Medium
⚡ Quick Fix
Move testing as close to development as possible: type checking and linting on save, unit tests on commit, integration tests in CI — finding a bug at commit time costs 100x less than finding it in production
📦 Applies To
any web cli
🔗 Prerequisites
🔍 Detection Hints
Tests only run in CI not locally; no pre-commit hooks; security scanning only at deployment; bugs regularly found in production not development
Auto-detectable: ✓ Yes phpstan phpunit captainhook semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Low False Positives: High ✗ Manual fix Fix: High Context: File Tests: Update
✓ schema.org compliant