Shift Left: How the CVE-LITE CLI is Transforming Developer Security
In the modern enterprise software development life cycle, where speed of delivery is the most watched metric, security is often considered an afterthought, to be done at the end of the delivery line. For many organizations, this results in developers waiting hours for a response. Sonu Kapoor, an expert with 25 years of experience, is looking to change that by moving security scanning directly to the developer’s desktop.
The CVE-LITE CLI, an open source project created by Kapoor that is now part of the OWASP Foundation, recognized that the security workflow was broken.
“The biggest problem is that the answer is too late,” Kapoor told SD Times in a recent interview. In most business environments, pipelines can take four to eight hours to build, and security scans are usually done at the end. Developers were then bombarded with huge logs that pointed to vulnerabilities but provided little guidance, forcing them to spend hours figuring out how to fix the problems. Often, overwhelmed by the process, teams simply add exceptions to their queues to ignore the risks, prioritizing business aspects over security.
The CVE-LITE CLI addresses this conflict by allowing developers to run security scans where the code resides. By issuing scans directly from the terminal, developers can get a response quickly without waiting hours for the pipeline to run.
The main difference of the tool is its practical effect. Unlike standard scanners that just report a problem, Kapoor explained that CVE-LITE CLI uses internal algorithms to tell developers exactly what’s wrong and how to fix it. It provides instructions that developers can copy and paste to resolve vulnerabilities, or, if a specific fix is not available, advises on whether to upgrade dependencies or remove them entirely.
“I’m trying to change the engineer’s workflow,” Kapoor said. “The goal is to bring local scanning to the developer responsible for the code and allow him to do his job and continue to fix vulnerabilities.”
Despite being only three months old, the project has gained significant traction in the open source community, surpassing 12,000 downloads and 550 GitHub stars. It is accepted worldwide, with integration from countries ranging from Peru to Portugal, and is even used within French government programs.
The project is dedicated work, with Kapoor devoting four to five hours every day to its development. The tool is free, does not require account registration, and is easily available through npm. Additionally, the CLI includes AI integration, allowing users to use artificial intelligence to analyze scan results.
As organizations continue to look for better ways to integrate security into developer workflows, Kapoor said the CVE-LITE CLI offers a practical solution: one that prioritizes speed, clarity, and productivity for developers, ensuring that security becomes a seamless part of the coding process rather than the last, frustrating hurdle.
