How do you get your dev team to shift left for real?
Shift-left doesn't start with scanning code for security vulnerabilities; it begins with designing it.
Play yourself secure with the latest release of OWASP Cornucopia Website Edition v2.2!

In our next version of OWASP Cornucopia Website App Edition version 2.2 we have a special treat for you.
We have gathered all our threat modeling expertise, created threat modeling scenarios for each card, and analyzed which STRIDE categories each scenario belongs to. Much of this material has been contributed to the project from @jefmeijvis and dotNET Lab.
If you have bought an OWASP Cornucopia deck with QR codes, you can now give your team advice on threat scenarios, threat vectors, attack patterns, mitigation strategies, and STRIDE when playing the game by letting them scan the QR codes on each card. Each scenario follows "Shostack's Four Question Frame for Threat Modeling", making it easy for your security champions to come up with the threats and mitigations themselves.
In addition, we have added additional CAPECs that correspond to each card and added references to the OWASP Developer Guide's Web Application Checklist that will link your threat modeling to OWASP secure coding practices and the OWASP Top 10 Proactive controls, this, thanks to @jgadsden
from the OWASP Developer Guide project.