Skip to main content

sl analyze

The analyze command allows you to run preZero and perform code analysis on your application.


sl analyze --app appName <language flag> <command options> <path>
# example: sl analyze --yourApp --java /path/to/jar

For easy reuse in future analyses, you can store some command-related information as environment variables. If applicable, we've provided the specific environment variable below.

Note that the values for options set via environment variables override those set in a configuration file. These, in turn, are overridden by those specified via command-line flags.

OptionEnvironment variableDescription
--app <name>SHIFTLEFT_APP=<name>The name of your application (maximum length: 100 characters)
--analysis-timeout <timeout>SHIFTLEFT_ANALYSIS_TIMEOUT=<timeout>Specify the timeout (e.g. 15m) to be used for analysis. Default: 15 minutes (15m0s)
--containerSHIFTLEFT_CONTAINER_SCA=<name>The container to include (e.g.,, where is the registry, shiftleft is the repo, demoContainer is the name of the container, and latest is the tag; registry and tag default to and latest respectively)
--cpg-generation-timeout <timeout>Timeout for CPG generation phase (e.g. '15 m'). If this is not set, the default is 15 minutes.
--git-remote-name <remote>Specify the remote to use (instead of origin) when including Git metadata with your application; Qwiet AI uses the remote repository to link identified vulnerabilities shown in the Dashboard to your source code
--no-vcs-metadataSpecify that Git metadata should NOT be sent to Qwiet AI; disables the automatic linking of identified vulnerabilities in the Dashboard to the source code in your version control repository
--policy <ID>Specify the policy NG SAST should use during analysis; if you don't set this, NG SAST uses the default policy
--remediation-config <file>Suppress findings based on rules/patterns defined in the provided config file
--strictSHIFTLEFT_STRICT=trueSpecifies that Qwiet AI should treat failures (including timeouts) as errors, exit, and return the appropriate error code. We strongly recommend this for any automated scans (e.g., GitHub Actions, CI/CD pipelines, etc.)
--tag<name>Create an application group so that multiple applications are displayed as groups in the Dashboard application group
--tag branch=<name>Provide the application branch that's displayed in the Dashboard. If you don't provide one, but Qwiet AI detects a branch name from your version control system, it will use that name
--team <name>The team to which the application should be assigned (new applications only). This flag can be used by team admins to submit an application for analysis and assign it to a team for which they're an admin
--vcs-prefix-correction <value>Provide filepath modifications so the Source Code View reflects your repo structure
--version-id <version>SHIFTLEFT_VERSION_ID=<version>Override default version with custom one (e.g. v1.2.3)
--waitSHIFTLEFT_WAIT=trueWait for Qwiet AI Core (SAST and container scanning) to finish analysis before returning control of the CLI

Language-specific command options

sl analyze --app <name> --c </path/to/code>
OptionEnvironment variableDescription
--cSHIFTLEFT_LANG_C=trueAnalyze an application written in C/C++