sl analyze
The analyze command allows you to run preZero and perform code analysis on your application.
Usage
sl analyze --app appName <language flag> <command options> <path>
# example: sl analyze --yourApp --java /path/to/jar
For easy reuse in future analyses, you can store some command-related information as environment variables. If applicable, we've provided the specific environment variable below.
Note that the values for options set via environment variables override those set in a configuration file. These, in turn, are overridden by those specified via command-line flags.
| Option | Environment variable | Description |
|---|---|---|
--app <name> | SHIFTLEFT_APP=<name> | The name of your application (maximum length: 100 characters) |
--analysis-timeout <timeout> | SHIFTLEFT_ANALYSIS_TIMEOUT=<timeout> | Specify the timeout (e.g. 15m) to be used for analysis. Default: 15 minutes (15m0s) |
--container | SHIFTLEFT_CONTAINER_SCA=<name> | The container to include (e.g., docker.io/shiftleft/demoContainer:latest, where docker.io is the registry, shiftleft is the repo, demoContainer is the name of the container, and latest is the tag; registry and tag default to docker.io and latest respectively) |
--cpg-generation-timeout <timeout> | Timeout for CPG generation phase (e.g. '15 m'). If this is not set, the default is 15 minutes. | |
--git-remote-name <remote> | Specify the remote to use (instead of origin) when including Git metadata with your application; Qwiet AI uses the remote repository to link identified vulnerabilities shown in the Dashboard to your source code | |
--no-vcs-metadata | Specify that Git metadata should NOT be sent to Qwiet AI; disables the automatic linking of identified vulnerabilities in the Dashboard to the source code in your version control repository | |
--policy <ID> | Specify the policy NG SAST should use during analysis; if you don't set this, NG SAST uses the default policy | |
--remediation-config <file> | Suppress findings based on rules/patterns defined in the provided config file | |
--strict | SHIFTLEFT_STRICT=true | Specifies that Qwiet AI should treat failures (including timeouts) as errors, exit, and return the appropriate error code. We strongly recommend this for any automated scans (e.g., GitHub Actions, CI/CD pipelines, etc.) |
--tag app.group=<name> | Create an application group so that multiple applications are displayed as groups in the Dashboard application group | |
--tag branch=<name> | Provide the application branch that's displayed in the Dashboard. If you don't provide one, but Qwiet AI detects a branch name from your version control system, it will use that name | |
--team <name> | The team to which the application should be assigned (new applications only). This flag can be used by team admins to submit an application for analysis and assign it to a team for which they're an admin | |
--vcs-prefix-correction <value> | Provide filepath modifications so the Source Code View reflects your repo structure | |
--version-id <version> | SHIFTLEFT_VERSION_ID=<version> | Override default version with custom one (e.g. v1.2.3) |
--wait | SHIFTLEFT_WAIT=true | Wait for Qwiet AI Core (SAST and container scanning) to finish analysis before returning control of the CLI |
Language-specific command options
- C/C++
- C#
- Go
- Java
- JavaScript
- Kotlin
- PHP
- Python
- Scala
- Terraform
sl analyze --app <name> --c </path/to/code>
| Option | Environment variable | Description |
|---|---|---|
--c | SHIFTLEFT_LANG_C=true | Analyze an application written in C/C++ |
sl.exe analyze --app <name> --csharp <path/to/.sln/or/.csproj>
Non-Windows users should invoke the Qwiet CLI using
slinstead ofsl.exe.
| Option | Environment variable | Description |
|---|---|---|
--csharp | SHIFTLEFT_LANG_CSHARP=true | Analyze an application written in C# |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | SCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
The analysis accepts additional parameters at the end of your command. Be sure to precede these with a double hyphen -- (e.g., sl.exe analyze --app <name> --csharp <path/to/.sln/or/.csproj> -- <additionalFlags>):
| Option | Description |
|---|---|
--disable-razor | Disable search for included Razor files to improve performance. |
--ignore-project <paths-to-proj-file> | Ignores one or more specified projects from being scanned. Uses the full, not relative, file path |
--msbuild-proj <path-to-proj-file> | Include MSBuild project files in the analysis |
sl analyze --app <name> --go <path>
| Option | Environment variable | Description |
|---|---|---|
--go | SHIFTLEFT_LANG_GO=true | Analyze an application written in Go |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | SCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
sl analyze --app <name> --vcs-prefix-correction "*=src/main/java" --java <path/to/JAR/WAR>
| Option | Environment variable | Description |
|---|---|---|
--dep | Use to combine multiple artifacts for analysis. Can be used multiple times | |
--java | SHIFTLEFT_LANG_JAVA=true | Analyze an application written in Java or Scala |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | SCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
sl analyze --app <name> --js <path>
| Option | Environment variable | Description |
|---|---|---|
--js | SHIFTLEFT_LANG_JS=true | Analyze an application written in JavaScript/TypeScript |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | SCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
The analysis accepts additional parameters at the end of your command. Be sure to precede these with a double hyphen -- (e.g., sl analyze --app <name> --js <path> -- <additionalFlags>):
| Option | Description |
|---|---|
--exclude <path-1>,<path-2>,... | Exclude the specified directories during code analysis; the path provided can be a full path or a relative path to the JavaScript project directory |
--exclude-html | Exclude HTML files from the analysis |
--exclude-private-deps | Exclude private modules/dependencies in 'node_modules/' (defaults to false) |
--exclude-regex <value> | A regex specifying the files to exclude during the analysis (the match is to the absolute file path), e.g., --exclude-regex ".*([-.])min\\.js" or `--exclude-regex ".*.(spec |
--include-configs | Include configuration files (e.g., *.conf.js, *.config.js, *.json`). Usually required for OWASP juice shop and other vulnerable apps |
--include-minified | Include minified Javascript sources (e.g., filenames ending with -min.js or .min.js) in the analysis (by default, preZero excludes all such sources) |
--include-tests | Include test files (typically required for sample vulnerable apps, such as OWASP Juice Shop) |
--no-babel | Exclude Babel sources in the analysis (by default, preZero includes Babel sources) |
--no-ts | Exclude TypeScript sources from the analysis (by default, preZero includes Typescript sources) |
--optimize-dependencies | Optimize project dependencies during transpilation (i.e., reduce dependencies to the minimal set that's required to transpile the JS/TS code). May result in faster execution times. Defaults to false |
--output <value> | The CPG output file name (defaults to cpg.bin.zip if none provided) |
--package-json <path> | The custom path to package.json (by default, preZero looks for the file in the JavaScript project directory) |
--private-deps-ns <dep1>,<dep2>,... | Additional private dependencies you would like to be analyzed from node_modules |
sl analyze --app <name> --kotlin <path>
| Option | Environment variable | Description |
|---|---|---|
--kotlin | SHIFTLEFT_LANG_KOTLIN=true | Analyze an application written in Kotlin |
The analysis accepts additional parameters at the end of your command. Be sure to precede these with a double hyphen -- (e.g., sl analyze --app <name> --kotlin <path> -- <additionalFlags>):
| Option | Description |
|---|---|
--classpath <path> | The flag that adds a path to the folder where your dependency jars are (e.g., if your dependency jars are in /tmp jars, you could provide this to sl analyze using --classpath /tmp/jars). Can be used more than once. |
--download-dependencies | The flag that triggers a download of the project's dependencies using Gradle or Maven |
--gradle-configuration-name <name> | The Gradle configuration name to be used when downloading dependencies. (defaults to releaseCompileClasspath if none provided) |
--gradle-project-name <name> | The Gradle project name to be used when downloading dependencies. (defaults to app if none provided) |
--ignore-path <path> | The flag that adds a path to the list of directories which will be ignored during analyses. Can be used more than once. |
sl analyze --app <name> --python <path>
| Option | Environment variable | Description |
|---|---|---|
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | SCA only: when set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
--python | SHIFTLEFT_LANG_PYTHON=true | Analyze an application written in Python |
The analysis accepts additional parameters at the end of your command. Be sure to precede these with a double hyphen -- (e.g., sl analyze --app <name> --python <path> -- <additionalFlags>):
| Option | Description |
|---|---|
--extra-sys-paths [<path>] | Include additional module search paths in the analysis |
--ignore-dir-names | Excludes all matching directories from the analysis. You must provide the exact directory name |
--ignore-paths | Ignores the specified paths from the analysis. Requires the full path, not a relative path, to be provided |
--strict-deps | Requires that all of the project's module paths can be followed for analysis to proceed |
sl analyze --app <name> --php <path>
| Option | Environment variable | Description |
|---|---|---|
--php | SHIFTLEFT_LANG_PHP=true | Analyze an application written in PHP |
To run:
sl analyze --app <name> --java <path>
| Option | Environment variable | Description |
|---|---|---|
--java | SHIFTLEFT_LANG_JAVA=true | Analyze an application written in Java or Scala |
--oss-project-dir <project-path> | SCA only: the (non-default) location where projects are defined | |
--oss-required | SHIFTLEFT_OSS_ABORT_ON_FAILURE=true | When set, a failure to generate Software Bill of Materials (BOM) will stop preZero analysis |
--oss-subproject <subproject-name> | SCA for Scala sbt projects only: collect open-source package information only from a specific subproject. This flag should only be used for complex monorepos/multi-project builds |
sl analyze --app <name> --terraform [<path>]
| Option | Description |
|---|---|
--terraform | Analyze Terraform project |