sl analyze

The analyze command allows you to run NG SAST and perform code analysis on your application.


To run:

sl analyze --app <name> --csharp <--dotnet|--dotnet-core|--dotnet-framework> <path/to/.sln/or/.csproj>`

Command options

For easy reuse in future analyses, you can store some command-related information as environment variables (we've provided the specific environment variable below). Note that the values for options set via environment variables override those set in a configuration file (which, in turn, are overridden by those specified via command-line flags).

OptionEnvironment variableDescription
--app <name>SHIFTLEFT_APP=<name>The name of your application
--analysis-timeout <timeout>SHIFTLEFT_ANALYSIS_TIMEOUT=<timeout>Specify the timeout (e.g. 15m) to be used for analysis. Default: 15 minutes (15m0s)
--csharpSHIFTLEFT_LANG_CSHARP=trueAnalyze an application written in C#
--dotnetIndicate that a C# application is using .NET
--dotnet-coreIndicate that a C# application is using .NET Core
--dotnet-frameworkIndicate that a C# application is using .NET Framework. Default value if no values regarding framework are provided.
--git-remote-name <remote>Specify the remote to use (instead of origin) when including Git metadata with your application; ShiftLeft uses the remote repository to link identified vulnerabilities shown in the Dashboard to your source code
--no-vcs-metadataSpecify that Git metadata should NOT be sent to ShiftLeft; disables the automatic linking of identified vulnerabilities in the Dashboard to the source code in your version control repository
--oss-project-dir <project-path>SCA only: the (non-default) location where projects are defined
--oss-requiredSHIFTLEFT_OSS_ABORT_ON_FAILURE=trueSCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop NG SAST analysis
--policy <ID>Specify the policy NG SAST should use during analysis; if you don't set this, NG SAST uses the default policy
--remediation-config <file>Suppress findings based on rules/patterns defined in the provided config file
--strictSHIFTLEFT_STRICT=trueSpecifies that ShiftLeft should treat failures (including timeouts) as errors, exit, and return the appropriate error code. We strongly recommend this for any automated scans (e.g., GitHub Actions, CI/CD pipelines, etc.)
--tag<name>Create an application group so that multiple applications are displayed as groups in the Dashboard application group
--tag branch=<name>Provide the application branch that's displayed in the Dashboard. If you don't provide one, but ShiftLeft detects a branch name from your version control system, it will use that name
--team <name>The team to which the application should be assigned (new applications only). This flag can be used by team admins to submit an application for analysis and assign it to a team for which they're an admin
--vcs-prefix-correction <value>Provide filepath modifications so the Source Code View reflects your repo structure
--version-id <version>SHIFTLEFT_VERSION_ID=<version>Override default version with custom one (e.g. v1.2.3)
--waitSHIFTLEFT_WAIT=trueWait for ShiftLeft Core (SAST, SCA, and container scanning) to finish analysis before returning control of the CLI