惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
博客园 - 三生石上(FineUI控件)
S
Securelist
U
Unit 42
The Cloudflare Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Simon Willison's Weblog
Simon Willison's Weblog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
B
Blog
T
Tenable Blog
The Hacker News
The Hacker News
The Register - Security
The Register - Security
IT之家
IT之家
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
P
Privacy & Cybersecurity Law Blog
博客园_首页
T
Tailwind CSS Blog
人人都是产品经理
人人都是产品经理
C
Cybersecurity and Infrastructure Security Agency CISA
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
T
Tor Project blog
C
CERT Recently Published Vulnerability Notes
Apple Machine Learning Research
Apple Machine Learning Research
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
V
Vulnerabilities – Threatpost
A
Arctic Wolf
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
V2EX
aimingoo的专栏
aimingoo的专栏
大猫的无限游戏
大猫的无限游戏
Scott Helme
Scott Helme
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
V
Visual Studio Blog
月光博客
月光博客
爱范儿
爱范儿
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
H
Heimdal Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Nx Blog

Sharing Tailwind CSS Styles Across Apps in a Monorepo | Nx Blog How SiriusXM Stays Competitive by Iterating and Getting to Market Fast | Nx Blog Agentic Experience Is the New Developer Experience | Nx Blog Nx Joins the Linux Foundation and the Agentic AI Foundation | Nx Blog A Monorepo Is NOT a Monolith | Nx Blog Why we deleted (most of) our MCP tools | Nx Blog Teach Your AI Agent How to Work in a Monorepo | Nx Blog How Broadcom stays efficient and nimble with monorepos | Nx Blog Why Monorepos are King in the Age of AI | Nx Blog Nx 2026 Roadmap: Expanding Agent Autonomy, Improving Performance, Better Polyglot and More | Nx Blog End to End Autonomous AI Agent Workflows with Nx | Nx Blog Autonomous Agents at Scale | Nx Blog Scaling 700+ Projects: How Nx Became a 'No-Brainer' for Caseware | Nx Blog Configure Tailwind v4 with Angular in an Nx Monorepo | Nx Blog The Missing Multiplier for AI Agent Productivity | Nx Blog A Year of Nx Webinars | Nx Blog Wrapping Up 2025 | Nx Blog Nx 22.3 Release: Angular 21 Support, tsgo Compiler, and Prettier v3 | Nx Blog Nx Cloud Release: Agent Resource Usage | Nx Blog Nx Platform Outperforms DIY Cache by 5x | Nx Blog An Nx Carol: Past, Present, and Future of Your Monorepo | Nx Blog Nx 22.1 Release: Terminal UI on Windows, Storybook 10, Vitest 4, and more! | Nx Blog The Compounding Effect: How Nx Features Multiply Performance Gains | Nx Blog 10 Monorepo Myths Debunked: Separating Fact from Fiction | Nx Blog Nx Cloud Release: Enterprise Task Analytics | Nx Blog Watch and Rebuild Storybook Dependencies with Nx | Nx Blog Book - React for Enterprise: Timeless Architecture for Enterprise Apps | Nx Blog Beyond Remote Cache: Unlock 70% More CI Performance | Nx Blog Nx 22 Release: Expanding the build platform | Nx Blog What's the Point of Generating All This Code If You Can't Merge It? | Nx Blog What's New in Nx Self-Healing CI | Nx Blog Nx Highlights: Smarter AI integration, all-new graph UI, and big new versions of your favorite tools | Nx Blog Making the Case for Smarter Monorepos, and How to Not Get Fooled by Myths | Nx Blog Integrating Biome in 20 Minutes | Nx Blog S1ngularity - What Happened, How We Responded, What We Learned | Nx Blog Stop Babysitting Your PRs: Self-Healing CI Cuts Time to Green by 50% | Nx Blog UKG Unifies Their Codebase and Eliminates CI Overhead to Focus on Customer Value | Nx Blog How Git Worktrees Changed My AI Agent Workflow | Nx Blog Nx Cloud Workspace Graph: See Your Organization's Code Structure Like Never Before | Nx Blog Seamless Java Deployment in Nx Using Docker | Nx Blog Getting Mobile Into Your Monorepo: Android + Nx | Nx Blog Polyglot Projects Made Easy: Integrating Spring Boot into an Nx Workspace | Nx Blog The Journey of the Nx Plugin for Gradle: From Prototype to Production | Nx Blog Combining Predictability and Intelligence With Nx Generators and AI | Nx Blog A New UI For The Humble Terminal | Nx Blog Continuous tasks are a huge DX improvement | Nx Blog New and Improved Module Federation Experience with Nx | Nx Blog A New UI for Nx Migration | Nx Blog Custom Task Runners and Self-Hosted Caching Changes | Nx Blog Enterprise Angular Monorepo Patterns | Nx Blog Using Rspack with Angular | Nx Blog Angular Architecture Guide To Building Maintainable Applications at Scale | Nx Blog Modern Angular Testing with Nx | Nx Blog Nx Update: 20.5 | Nx Blog Are Monorepos the Answer to Better AI-Assisted Development? | Nx Blog Making Cursor Smarter with an MCP Server For Nx Monorepos | Nx Blog React Development for 2025 | Nx Blog Using Apollo GraphQL in an Nx Workspace | Nx Blog Angular State Management for 2025 | Nx Blog Tailoring Nx for Your Organization | Nx Blog Nx Cloud Pipelines Come To Nx Console | Nx Blog Define the relationship with monorepos | Nx Blog See your affected project graph in Nx Cloud | Nx Blog Handling CORS In Your Workspace | Nx Blog Improve your architecture and CI pipeline times with Nx projects | Nx Blog Announcing Nx 20 | Nx Blog Introducing Nx Powerpack | Nx Blog Nx 19.5 is here! Stackblitz, Bun, Incremental Builds for Vite, Gradle Test Atomizer | Nx Blog Introducing Explain with AI | Nx Blog Nx Enterprise Podcast Episode 2: Tine Kondo | Nx Blog Monorepos and CI can be a Mess - Here's How Nx and Nx Cloud Fixed It | Nx Blog Nx Enterprise Podcast Episode 1: Hicham El Hammouchi | Nx Blog Nx 19.0 Release!! | Nx Blog Manage Your Gradle Project using Nx | Nx Blog Making the Argument for Monorepos | Nx Blog Reliable CI. A new execution model fixing both flakiness and slowness | Nx Blog Monorepos - Why Speed Matters | Nx Blog Nx Agents Walkthrough: Effortlessly Fast CI Built for Monorepos | Nx Blog Launch Nx Week Recap | Nx Blog Versioning and Releasing Packages in a Monorepo | Nx Blog Fast, Effortless CI | Nx Blog Introducing @nx/nuxt Enhanced Nuxt.js Support in Nx | Nx Blog What if Nx Plugins Were More Like VSCode Extensions | Nx Blog Monorepos: the Benefits, Challenges, and Importance of Tooling Support | Nx Blog Nx — Highlights of 2023 | Nx Blog Nx 17.2 Update | Nx Blog Unit Testing Expo Apps With Jest | Nx Blog Nx Docs AI Assistant | Nx Blog State Management Nx React Native/Expo Apps with TanStack Query and Redux | Nx Blog Nx 17 has Landed | Nx Blog Nx Conf 2023 — Recap | Nx Blog Nx Raises $16M Series A | Nx Blog Introducing Playwright Support for Nx | Nx Blog Nx 16.8 Release!!! | Nx Blog Step-by-Step Guide to Creating an Expo Monorepo with Nx | Nx Blog Qwikify your Development with Nx | Nx Blog Create Your Own create-react-app CLI | Nx Blog Storybook Interaction Tests in Nx | Nx Blog Evergreen Tooling — More than Just CodeMods | Nx Blog A Practical Guide on Effective AI Use - AI as Your Peer Programmer | Nx Blog
Shift Left Isn't Working: Because We're Shifting the Wrong Thing | Nx Blog
Josh VanAllen · 2026-05-07 · via Nx Blog

"Give me six hours to chop down a tree and I will spend the first four sharpening the axe." Lincoln said that. We've known this for centuries.

The priority is always to deliver faster. So controls come after. More scanners. More gates. More reactive measures bolted on once the code already exists.

But what if you had those guardrails at the beginning? What if security, quality, and compliance were inputs to planning and building rather than reviews of the output?

That's "shift left" in a nutshell. And most teams are missing it.

The Build Phase is Now Basically Free

Not long ago, building software meant planning the implementation, splitting the work across a team, coordinating merges, resolving conflicts, and hoping everyone's assumptions aligned. The build phase had weight to it.

Simple implementations now? A prompt or two. Maybe an afternoon.

Complex implementations still take real effort. The back and forth, the context setting, the course correcting. But even then, what used to take a team a week now takes one person a day.

The code still needs to be reviewed. But let's be honest about what actually happens when a PR lands with 1200 lines generated in 40 minutes.

That gap between "code was created" and "code was understood" is where the SDLC started breaking.

Speed Exposed a Problem That Was Always There

The SDLC didn't break because of AI. AI just made it impossible to ignore.

PR backlogs aren't new. Neither is the pressure that comes with them. When reviews pile up, the timeline to merge shrinks. And when the timeline shrinks, reviews get shallower. Not because engineers are careless. Because there are only so many hours and the queue doesn't care.

The person who wrote the code is always more invested in it than the reviewer. They architected it. They know every decision. The reviewer is coming in cold, under time pressure, with their name on the approval. That dynamic existed long before any AI wrote a single line.

What AI did was pour gasoline on it. A backlog that used to build over days now builds in hours. A PR that used to represent a few days of work now represents an afternoon of generation. The reviewer's context didn't scale with the output. The expectation to merge still did.

We didn't create a new problem. We accelerated an old one past the point where we could pretend it wasn't there.

Code Scanners Are Reactive by Definition. Their Knowledge Isn't.

Code scanning tools, the ones that analyze your code for security vulnerabilities and flag risky dependencies, are reactive by definition. They need code to exist before they can analyze it. CVE databases flag vulnerabilities after a version is released, not before. That's not a flaw in the tooling. That's just how SAST and CVE scanning works.

But the knowledge behind those tools doesn't have to wait.

Before a single line gets written, whether by a developer or an agent, there's a planning phase. And that planning phase is where the real shift left happens. What does this feature need? What are the corporate coding standards? What compliance requirements apply? What dependencies are in or out of bounds?

That context needs to be an input to the build, not a review of its output. Agentic tools have mechanisms for this. Vendors still haven't agreed on a name. Shocking, I know. But the concept is the same. You encode your expectations before the agent starts, not after it finishes.

Dependencies are a good example. The knee jerk rule is "use maintained libraries." But that's too blunt. A utility library that does one thing well and hasn't needed to change in five years isn't a risk. What matters is whether there are known CVEs, whether the library is end of life (EOL), whether it fits within corporate policy, whether pulling it in creates a compliance problem. Developers and agents both need that context before they reach for a package, not after a scanner flags it three sprints later.

SAST knowledge, dependency policies, corporate coding standards. These can all shift left as inputs. The scanner becomes verification, not discovery.

Same Fix for Humans and Agents

The fix isn't new. It's just overdue.

Smaller PRs. Meaningful test coverage. Better planning before the first line gets written. These aren't agent-specific best practices. They're engineering best practices. The difference is that agents need them made explicit. A senior engineer absorbs corporate culture over time. An agent needs it written down every single time.

And not everything gets written down at the same level. Security standards and compliance requirements live at the corporate level. Architecture patterns at the team level. Implementation decisions within that. The hierarchy already exists for human developers. Agents just make it impossible to ignore when it isn't there.

This is where corporate policy becomes rules. The same expectations that govern how a developer writes code need to be encoded as context before an agent starts building. Not as an afterthought. As an input.

Here's the uncomfortable part. If you can't write your standards down clearly enough for an agent to follow, ask yourself if a new engineer joining your team would fare any better. Teams that have clear, written, maintained standards will get good output from agents. Teams that run on tribal knowledge and institutional memory will get chaos. The agent didn't create that problem. It just made it visible.

What It Actually Looks Like

Start with the rules. Not the agent. Not the tooling. The rules.

An SDLC or agent without rules is just a fast way to produce code that doesn't meet your standards. The rules are the work.

When building them for the first time, start with security. Not coding style. Not architecture preferences. Security first. CVE policies, approved dependency lists, SAST expectations, compliance requirements. These are the non-negotiables. Get those written down before anything else.

Then corporate policy. Coding standards, test coverage thresholds, the things that apply across every team in the organization. Then team level decisions. Architecture patterns, framework choices, style preferences within those corporate bounds.

That hierarchy matters. Security sets the floor. Corporate policy sets the walls. Teams work within them.

And don't treat this as a one time setup. These rules are living documents. When corporate policy updates, the rules need to follow. The best way to make that manageable is to link your rules back to the source of truth rather than copying them. A rule that drifts out of sync is worse than no rule at all.

The goal isn't a perfect set of rules on day one. It's a system that stays current and gets more specific over time.

The Work Is Worth It

The build phase is cheap now. That's not changing.

What isn't cheap is building poorly at speed. Technical debt, security vulnerabilities, compliance failures. Those costs didn't go down when the build phase did. They just arrive faster.

If you're a tech lead, architect, or sitting in a CISO or CTO seat, this is the work on your plate. Not picking the right agentic tool. Getting your standards written down clearly enough that a human or an agent can follow them without guessing.

The build is cheap. The discipline isn't. But it's the only thing that makes the speed worth having.

Learn More