sl analyze
The analyze command allows you to run preZero and perform code analysis on your application.
Usage
sl analyze --app appName <language flag> <command options> <path>
# example: sl analyze --yourApp --java /path/to/jar
For easy reuse in future analyses, you can store some command-related information as environment variables. If applicable, we've provided the specific environment variable below.
Note that the values for options set via environment variables override those set in a configuration file. These, in turn, are overridden by those specified via command-line flags.
| Option | Environment variable | Description |
|---|---|---|
--app <name> | SHIFTLEFT_APP=<name> | The name of your application (maximum length: 100 characters) |
--analysis-timeout <timeout> | SHIFTLEFT_ANALYSIS_TIMEOUT=<timeout> | Specify the timeout (e.g. 15m) to be used for analysis. Default: 15 minutes (15m0s) |
--container | SHIFTLEFT_CONTAINER_SCA=<name> | The container to include (e.g., docker.io/shiftleft/demoContainer:latest, where docker.io is the registry, shiftleft is the repo, demoContainer is the name of the container, and latest is the tag; registry and tag default to docker.io and latest respectively) |
--cpg-generation-timeout <timeout> | Timeout for CPG generation phase (e.g. '15 m'). If this is not set, the default is 15 minutes | |
--disable-multilanguage-analysis | QWIET_DISABLE_MULTI_LANGUAGE_ANALYSIS=true | Disable multilanguage analysis. Most prevalent language will be detected and used for analysis |
--exclude-languages <language> | Exclude language from analysis. May be specified multiple times | |
--git-remote-name <remote> | Specify the remote to use (instead of origin) when including Git metadata with your application; Qwiet AI uses the remote repository to link identified vulnerabilities shown in the Dashboard to your source code | |
--no-vcs-metadata | Specify that Git metadata should NOT be sent to Qwiet AI; disables the automatic linking of identified vulnerabilities in the Dashboard to the source code in your version control repository | |
--policy <ID> | Specify the policy NG SAST should use during analysis; if you don't set this, NG SAST uses the default policy | |
--remediation-config <file> | Suppress findings based on rules/patterns defined in the provided config file | |
--sca-only-upload | Only run SCA, skip SAST and other processing steps | |
--secrets-only | Only scan for secrets, skip SAST, SCA, and other processing steps | |
--strict | SHIFTLEFT_STRICT=true | Specifies that Qwiet AI should treat failures (including timeouts) as errors, exit, and return the appropriate error code. We strongly recommend this for any automated scans (e.g., GitHub Actions, CI/CD pipelines, etc.) |
--structured-output | Write scan details in a structured format to a file. By default, the file contains a JSON object and is placed in the following path: ./scan_output_<orgID>_<appID>_<timestamp>.json | |
--structured-output-format <JSON|YAML> | When --structured-output is in use, this option specifies the format for the structured output. Accepted values are JSON and YAML | |
--structured-output-module <vcs|ci> | When --structured-output is in use, this option appends VCS and CI information to the output file. This optional flag can be used one or more times. Accepted values are vcs and ci | |
--structured-output-file-path <path> | When --structured-output is in use, this option specifies the file path (including the file name) to where the scan structured output is written to | |
--tag app.group=<name> | Create an application group so that multiple applications are displayed as groups in the Dashboard application group | |
--tag branch=<name> | Provide the application branch that's displayed in the Dashboard. If you don't provide one, but Qwiet AI detects a branch name from your version control system, it will use that name | |
--team <name> | The Team to which the application should be assigned. This flag will only have an effect if the app does not currently exist, and only if the Team already exists (it will not create a Team). This flag can be used by Team Admins to submit an application for analysis and assign it to a Team for which they're an admin. If the Team name has spaces in it, you will need to use quotes. For example: --team "Team Name" | |
--vcs-prefix-correction <value> | Provide filepath modifications so the Source Code View reflects your repo structure | |
--wait | SHIFTLEFT_WAIT=true | Wait for Qwiet AI Core (SAST and container scanning) to finish analysis before returning control of the CLI |
Language-specific command options
- C/C++
- C#
- Go
- Java
- JavaScript
- Kotlin
- PHP
- Python
- Ruby
- Scala
- Terraform
sl analyze --app <name> --c </path/to/code>
| Option | Environment variable | Description |
|---|---|---|
--c | SHIFTLEFT_LANG_C=true | Analyze an application written in C/C++ |
sl.exe analyze --app <name> --csharp <path/to/.sln/or/.csproj>
Non-Windows users should invoke the Qwiet CLI using
slinstead ofsl.exe.
| Option | Environment variable | Description |
|---|---|---|
--csharp | SHIFTLEFT_LANG_CSHARP=true | Analyze an application written in C# |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | SCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
The analysis accepts additional parameters at the end of your command. Be sure to precede these with a double hyphen -- (e.g., sl.exe analyze --app <name> --csharp <path/to/.sln/or/.csproj> -- <additionalFlags>):
| Option | Description |
|---|---|
--disable-razor | Disable search for included Razor files to improve performance. |
--ignore-project <paths-to-proj-file> | Ignores one or more specified projects from being scanned. Uses the full, not relative, file path |
sl analyze --app <name> --go <path>
| Option | Environment variable | Description |
|---|---|---|
--go | SHIFTLEFT_LANG_GO=true | Analyze an application written in Go |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | SCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
sl analyze --app <name> --vcs-prefix-correction "*=src/main/java" --java <path/to/JAR/WAR>
| Option | Environment variable | Description |
|---|---|---|
--dep | Use to combine multiple artifacts for analysis. Can be used multiple times | |
--java | SHIFTLEFT_LANG_JAVA=true | Analyze an application written in Java or Scala |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | SCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
sl analyze --app <name> --js <path>
| Option | Environment variable | Description |
|---|---|---|
--js | SHIFTLEFT_LANG_JS=true | Analyze an application written in JavaScript/TypeScript |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | SCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
The analysis accepts additional parameters at the end of your command. Be sure to precede these with a double hyphen -- (e.g., sl analyze --app <name> --js <path> -- <additionalFlags>):
| Option | Description |
|---|---|
--exclude <path> | Exclude the specified file/directory during code analysis; the path provided must either be an absolute path or a relative path to the project directory; can be specified multiple times |
--exclude-html | Exclude HTML files from the analysis |
--exclude-private-deps | Exclude private modules/dependencies in 'node_modules/' (defaults to false) |
--exclude-regex <value> | A regex specifying the files to exclude during the analysis (the match is to the absolute file path), e.g., --exclude-regex ".*([-.])min\\.js" or `--exclude-regex ".*.(spec |
--include-minified | Include minified Javascript sources (e.g., filenames ending with -min.js or .min.js) in the analysis (by default, preZero excludes all such sources) |
--include-tests | Include test files (typically required for sample vulnerable apps, such as OWASP Juice Shop) |
--no-babel | Exclude Babel sources in the analysis (by default, preZero includes Babel sources) |
--no-ts | Exclude TypeScript sources from the analysis (by default, preZero includes Typescript sources) |
--optimize-dependencies | Optimize project dependencies during transpilation (i.e., reduce dependencies to the minimal set that's required to transpile the JS/TS code). May result in faster execution times. Defaults to false |
--output <value> | The CPG output file name (defaults to cpg.bin.zip if none provided) |
--package-json <path> | The custom path to package.json (by default, preZero looks for the file in the JavaScript project directory) |
--private-deps-ns <dep1>,<dep2>,... | Additional private dependencies you would like to be analyzed from node_modules |
The following additional parameters have been deprecated and shouldn't be used anymore:
| Option | Description |
|---|---|
--include-configs | Enabled by default: Include configuration files (e.g., *.conf.js, *.config.js, *.json). Usually required for OWASP juice shop and other vulnerable apps |
sl analyze --app <name> --kotlin <path>
| Option | Environment variable | Description |
|---|---|---|
--kotlin | SHIFTLEFT_LANG_KOTLIN=true | Analyze an application written in Kotlin |
The analysis accepts additional parameters at the end of your command. Be sure to precede these with a double hyphen -- (e.g., sl analyze --app <name> --kotlin <path> -- <additionalFlags>):
| Option | Description |
|---|---|
--classpath <path> | The flag that adds a path to the folder where your dependency jars are (e.g., if your dependency jars are in /tmp jars, you could provide this to sl analyze using --classpath /tmp/jars). Can be used more than once. |
--download-dependencies | The flag that triggers a download of the project's dependencies using Gradle or Maven |
--gradle-configuration-name <name> | The Gradle configuration name to be used when downloading dependencies. (defaults to releaseCompileClasspath if none provided) |
--gradle-project-name <name> | The Gradle project name to be used when downloading dependencies. (defaults to app if none provided) |
--ignore-path <path> | The flag that adds a path to the list of directories which will be ignored during analyses. Can be used more than once. |
For Python 3.8, 3.9
sl analyze --app <name> --python <path>
| Option | Environment variable | Description |
|---|---|---|
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | SCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
--python | SHIFTLEFT_LANG_PYTHON=true | Analyze an application written in Python |
For Python 3.10 and later
sl analyze --app <name> --pythonsrc <path>
| Option | Environment variable | Description |
|---|---|---|
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | SCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
--pythonsrc | SHIFTLEFT_LANG_PYTHONSRC=true | Analyze an application written in Python |
The analysis accepts additional parameters at the end of your command. Be sure to precede these with a double hyphen -- (e.g., sl analyze --app <name> --python <path> -- <additionalFlags>):
| Option | Description |
|---|---|
--extra-sys-paths [<path>] | Include additional module search paths in the analysis |
--ignore-dir-names | Excludes all matching directories from the analysis. You must provide the exact directory name |
--ignore-paths | Ignores the specified paths from the analysis. Requires the full path, not a relative path, to be provided |
--strict-deps | Requires that all of the project's module paths can be followed for analysis to proceed |
sl analyze --app <name> --php <path>
| Option | Environment variable | Description |
|---|---|---|
--php | SHIFTLEFT_LANG_PHP=true | Analyze an application written in PHP |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined |
sl analyze --app <name> --ruby <path>
| Option | Environment variable | Description |
|---|---|---|
--ruby | SHIFTLEFT_LANG_RUBY=true | Analyze an application written in Ruby |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined |
sl analyze --app <name> --java <path>
| Option | Environment variable | Description |
|---|---|---|
--java | SHIFTLEFT_LANG_JAVA=true | Analyze an application written in Java or Scala |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | When set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
--oss-subproject <subproject-name> | SCA for Scala sbt projects only: collect open-source package information only from a specific subproject. This flag should only be used for complex monorepos/multi-project builds |
sl analyze --app <name> --terraform [<path>]
| Option | Description |
|---|---|
--terraform | Analyze Terraform project |