{ "slug": "shift_left_testing", "term": "Shift-Left Testing", "category": "devops", "difficulty": "intermediate", "short": "Moving testing earlier in the development process — catching bugs at the developer's machine and PR stage rather than in staging or production.", "long": "Traditional testing pyramid deferred integration and security testing to late stages. Shift-left brings it forward: pre-commit hooks run linting and unit tests locally, PRs trigger full CI (unit, integration, static analysis, SAST), feature branches deploy to ephemeral environments, and security scanning runs before merge. Cost of fixing a bug: $1 at commit time, $10 in PR review, $100 in staging, $1000 in production. Shift-left tools: pre-commit hooks, GitHub Actions, PHPStan, SAST scanners, contract tests.", "aliases": [ "shift left", "test earlier", "dev testing", "SAST" ], "tags": [ "devops", "testing", "quality", "ci-cd" ], "misconception": "Shift-left means only unit tests run early — shift-left applies to all types of testing: security (SAST), accessibility (axe-core), performance (Lighthouse CI), and contract tests can all run at PR time.", "why_it_matters": "A security vulnerability caught by SAST in a PR takes 10 minutes to fix — the same vulnerability discovered in production after 6 months of exploitation costs millions and regulatory fines.", "common_mistakes": [ "Slow pre-commit hooks — hooks over 10 seconds get bypassed with --no-verify.", "Only linting in pre-commit — include fast unit tests for immediate feedback.", "No ephemeral PR environments — developers cannot test their changes in isolation.", "Security scanning only before release — SAST should run on every PR." ], "when_to_use": [], "avoid_when": [], "related": [ "test_driven_development", "git_hooks_deep", "continuous_integration", "github_actions_php" ], "prerequisites": [ "continuous_integration", "test_pyramid", "security_by_design" ], "refs": [ "https://www.ibm.com/topics/shift-left-testing" ], "bad_code": "// All testing deferred to staging:\n// Developer commits → pushed to main → deployed to staging\n// QA tests manually → finds bug after 3 days\n// Developer context-switched to other work\n// Fixing: 1 hour of relearning + 30 min fix\n// Cost: 1.5 hours + delayed release", "good_code": "// Shift-left: caught immediately:\n// pre-commit: phpcs + phpstan (10 seconds)\n// PR: full CI in 5 minutes:\n// unit tests, integration tests\n// static analysis at level 8\n// SAST scan (SonarQube)\n// Lighthouse CI for performance\n// Ephemeral environment deployed\n// Developer still has full context\n// Fixing: 10 minutes", "quick_fix": "Move testing as close to development as possible: type checking and linting on save, unit tests on commit, integration tests in CI — finding a bug at commit time costs 100x less than finding it in production", "severity": "medium", "effort": "medium", "created": "2026-03-16", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/shift_left_testing", "html_url": "https://codeclaritylab.com/glossary/shift_left_testing", "json_url": "https://codeclaritylab.com/glossary/shift_left_testing.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Shift-Left Testing](https://codeclaritylab.com/glossary/shift_left_testing) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/shift_left_testing" } } } }