Shift-left is over-used as a phrase, but the underlying idea is real: finding an issue during code review is orders of magnitude cheaper than finding it in production. The GitHub integration runs Cyvex code scans against pull requests and posts results as PR comments or check runs.

Minimum setup

Install the Cyvex GitHub App on the org or selected repos.
Grant read access to code and metadata.
Decide whether to fail the check on new critical findings or just annotate.

Fail vs annotate

For a young codebase, annotate-only. For a mature one with a clean baseline, fail on any new critical. Never introduce a failing check overnight — give teams a two-week grace period after switching from annotate to fail.

Secret scanning

Secret scanning runs on every push, not just PRs. If a secret is detected, rotate it first, delete history second. History rewrites don't un-leak a key that's been public on GitHub for even a few minutes.