Picture the development lifecycle as a left-to-right timeline: write code, review, merge, deploy, run in production. 'Shifting left' means catching problems as far toward the writing end as possible.
The economic argument is overwhelming and well-measured: a defect found while the author is still looking at the code costs almost nothing to fix; the same defect found in a security audit costs more; found in production it costs dramatically more, plus incident response and reputational damage. Pushing detection left compresses that cost curve.
In practice, shifting left means a SAST check in CI on every pull request, a secret scan in a pre-push hook, dependency checks at install time, and fast feedback that lands while the change is fresh. The failure mode to avoid is shifting left so aggressively (or noisily) that developers route around the checks — speed and signal-to-noise matter as much as placement.