Why Shift Left is Failing: Key Takeaways from Codacy’s Latest Showcase

"Imagine vibe-coding in your favorite LLM, without the vibe migraine."

Codacy’s most recent showcase wasn’t just another product update; it marked the official launch of what may be the world’s first real shift-left security solution: Codacy Guardrails, a groundbreaking tool that protects code as it’s being written or even AI-generated.

Codacy’s most recent showcase brought together dev experts from Latio.tech, Refactoring, and Unstructured.io, for a frank and insightful discussion about the realities of “shift left” security, and what comes next. Here’s everything you need to know.

The panel kicked off by challenging some common assumptions around Shift Left.

Our VP of Technology, Kendrick Curtis, was joined by James Berthoty (Latio.tech), Luca Rossi (Refactoring), and Robert Roskam (Unstructured.io, who shared their experiences on why shift left hasn’t delivered as promised.

Berthoty summed it up: “The problem that I see with shift left isn’t really a problem with the concept — it’s that people don’t actually shift left. They just take all the existing work, hand it to developers, and say, ‘Okay, this is your problem now.’”

Key reasons why shift left struggles today:

• It became a cost-savings myth: Many Chief Information Security Officers (CISOs) believed finding vulnerabilities earlier would cut costs dramatically. Instead, security tooling has gotten more expensive, and teams have had to hire DevSecOps experts to manage the growing complexity.
  
  
• Developer overload: Developers weren't magically empowered to fix every vulnerability they found. Security became another layer of cognitive burden on already stretched teams.

As Roskam explained, if you overload developers with 15 different security tasks every time they write a line of code, you’re going to get pushback. You need to prioritize and make it as easy as possible for them to do the right thing.

• The shift left happened, but it didn’t go far enough: Most security checks now occur during the merge or build stage, which is better than at or post-deployment, but still not during coding itself.
  
  
• Security still feels like a niche skill: Unlike DevOps, where tools democratize operations, security relies heavily on specialized expertise. In fact, a recent study revealed that 75% of new developers lack familiarity with secure software development practices, highlighting a significant training gap in the industry.

But it’s not all bad news.

Shift Left has increased overall awareness of software security. Modern teams are catching vulnerabilities earlier than ever, and security is becoming more "DevOps-ified," with better automation and data access.

Introducing Codacy Guardrails: A Real Shift Left (Finally)

The showcase also featured the world premiere of Codacy Guardrails, Codacy’s major new innovation for real-time secure AI development. 

With Codacy Guardrails, we’ve shifted left past the developer, scanning AI-generated code as the AI generates it, not just when a human writes it. Powered by a new MCP server and the Codacy CLI, Guardrails delivers real-time security and code quality checks directly inside the IDE, providing instant feedback as code is created, whether by tools like Cursor or Copilot or by human hands.

In addition to Guardrails, Codacy has introduced other powerful features, such as automatic DAST scanning that can be launched with a single click and requires no complex pipeline configuration. 

We also demoed Guardrails live during the showcase. Check out this video to see how it works.
It’s an exciting glimpse into AI-assisted secure coding, without overwhelming developers.

How AI Changes the Shift Left Conversation

The panel also explored the role of AI in modern development and security’s place in that future.

Highlights:

• AI lowers cognitive load: AI tooling and smart security guardrails could allow developers to do more with less stress.
  
  
• Security architects become coaches: Instead of fixing every minor issue themselves, security experts can focus on building safer foundations and guiding teams.
  
  
• Concerns about AI architecture decisions: AI is great at tactical code generation, but risky when left alone to make major architectural choices, meaning human review is still critical.

The conclusion? Rather than viewing AI as a threat, when combined with tools like Codacy Guardrails, AI can supercharge secure development, not derail it.

Final Thoughts: Tools Help, but Culture Matters

If there was one theme running through the entire event, it’s this: Tools are critical, but they’re not enough.

Even with Codacy Guardrails and better shift left practices, companies must:

• Reduce unnecessary cognitive load on developers.
  
  
• Embed security into design decisions, not just code review.
  
  
• Maintain strong human-led review processes.
  
  
• Foster a security-first culture without slowing down innovation.

Rossi reminded the audience that you can’t just buy a tool and expect magic to happen; you need to integrate it in a way that fits your culture, your workflows, and your development teams.

Want to give Guardrails a spin? You can get the IDE plugin or book a live demo with our dev security experts.