Skip to main content

sl analyze

The analyze command allows you to run preZero and perform code analysis on your application.


sl analyze --app appName <language flag> <command options> <path>
# example: sl analyze --yourApp --java /path/to/jar

For easy reuse in future analyses, you can store some command-related information as environment variables. If applicable, we've provided the specific environment variable below.

Note that the values for options set via environment variables override those set in a configuration file. These, in turn, are overridden by those specified via command-line flags.

OptionEnvironment variableDescription
--app <name>SHIFTLEFT_APP=<name>The name of your application (maximum length: 100 characters)
--analysis-timeout <timeout>SHIFTLEFT_ANALYSIS_TIMEOUT=<timeout>Specify the timeout (e.g. 15m) to be used for analysis. Default: 15 minutes (15m0s)
--containerSHIFTLEFT_CONTAINER_SCA=<name>The container to include (e.g.,, where is the registry, shiftleft is the repo, demoContainer is the name of the container, and latest is the tag; registry and tag default to and latest respectively)
--cpg-generation-timeout <timeout>Timeout for CPG generation phase (e.g. '15 m'). If this is not set, the default is 15 minutes.
--git-remote-name <remote>Specify the remote to use (instead of origin) when including Git metadata with your application; Qwiet AI uses the remote repository to link identified vulnerabilities shown in the Dashboard to your source code
--no-vcs-metadataSpecify that Git metadata should NOT be sent to Qwiet AI; disables the automatic linking of identified vulnerabilities in the Dashboard to the source code in your version control repository
--policy <ID>Specify the policy NG SAST should use during analysis; if you don't set this, NG SAST uses the default policy
--remediation-config <file>Suppress findings based on rules/patterns defined in the provided config file
--sca-only-uploadOnly run SCA, skip SAST and other processing steps
--strictSHIFTLEFT_STRICT=trueSpecifies that Qwiet AI should treat failures (including timeouts) as errors, exit, and return the appropriate error code. We strongly recommend this for any automated scans (e.g., GitHub Actions, CI/CD pipelines, etc.)
--tag<name>Create an application group so that multiple applications are displayed as groups in the Dashboard application group
--tag branch=<name>Provide the application branch that's displayed in the Dashboard. If you don't provide one, but Qwiet AI detects a branch name from your version control system, it will use that name
--team <name>The Team to which the application should be assigned. This flag will only have an effect if the app does not currently exist, and only if the Team already exists (it will not create a Team). This flag can be used by Team Admins to submit an application for analysis and assign it to a Team for which they're an admin. If the Team name has spaces in it, you will need to use quotes. For example: --team "Team Name"
--vcs-prefix-correction <value>Provide filepath modifications so the Source Code View reflects your repo structure
--waitSHIFTLEFT_WAIT=trueWait for Qwiet AI Core (SAST and container scanning) to finish analysis before returning control of the CLI

Language-specific command options

sl analyze --app <name> --c </path/to/code>
OptionEnvironment variableDescription
--cSHIFTLEFT_LANG_C=trueAnalyze an application written in C/C++