Skip to main content

sl analyze

The analyze command allows you to run preZero and perform code analysis on your application.

Usage

sl analyze --app appName <language flag> <command options> <path>
# example: sl analyze --yourApp --java /path/to/jar

For easy reuse in future analyses, you can store some command-related information as environment variables. If applicable, we've provided the specific environment variable below.

Note that the values for options set via environment variables override those set in a configuration file. These, in turn, are overridden by those specified via command-line flags.

OptionEnvironment variableDescription
--app <name>SHIFTLEFT_APP=<name>The name of your application (maximum length: 100 characters)
--analysis-timeout <timeout>SHIFTLEFT_ANALYSIS_TIMEOUT=<timeout>Specify the timeout (e.g. 15m) to be used for analysis. Default: 15 minutes (15m0s)
--containerSHIFTLEFT_CONTAINER_SCA=<name>The container to include (e.g., docker.io/shiftleft/demoContainer:latest, where docker.io is the registry, shiftleft is the repo, demoContainer is the name of the container, and latest is the tag; registry and tag default to docker.io and latest respectively)
--cpg-generation-timeout <timeout>Timeout for CPG generation phase (e.g. '15 m'). If this is not set, the default is 15 minutes
--disable-multilanguage-analysisQWIET_DISABLE_MULTI_LANGUAGE_ANALYSIS=trueDisable multilanguage analysis. Most prevalent language will be detected and used for analysis
--exclude-languages <language>Exclude language from analysis. May be specified multiple times
--git-remote-name <remote>Specify the remote to use (instead of origin) when including Git metadata with your application; Qwiet AI uses the remote repository to link identified vulnerabilities shown in the Dashboard to your source code
--no-vcs-metadataSpecify that Git metadata should NOT be sent to Qwiet AI; disables the automatic linking of identified vulnerabilities in the Dashboard to the source code in your version control repository
--policy <ID>Specify the policy NG SAST should use during analysis; if you don't set this, NG SAST uses the default policy
--remediation-config <file>Suppress findings based on rules/patterns defined in the provided config file
--sca-only-uploadOnly run SCA, skip SAST and other processing steps
--secrets-onlyOnly scan for secrets, skip SAST, SCA, and other processing steps
--strictSHIFTLEFT_STRICT=trueSpecifies that Qwiet AI should treat failures (including timeouts) as errors, exit, and return the appropriate error code. We strongly recommend this for any automated scans (e.g., GitHub Actions, CI/CD pipelines, etc.)
--structured-outputWrite scan details in a structured format to a file. By default, the file contains a JSON object and is placed in the following path: ./scan_output_<orgID>_<appID>_<timestamp>.json
--structured-output-format <JSON|YAML>When --structured-output is in use, this option specifies the format for the structured output. Accepted values are JSON and YAML
--structured-output-module <vcs|ci>When --structured-output is in use, this option appends VCS and CI information to the output file. This optional flag can be used one or more times. Accepted values are vcs and ci
--structured-output-file-path <path>When --structured-output is in use, this option specifies the file path (including the file name) to where the scan structured output is written to
--tag app.group=<name>Create an application group so that multiple applications are displayed as groups in the Dashboard application group
--tag branch=<name>Provide the application branch that's displayed in the Dashboard. If you don't provide one, but Qwiet AI detects a branch name from your version control system, it will use that name
--team <name>The Team to which the application should be assigned. This flag will only have an effect if the app does not currently exist, and only if the Team already exists (it will not create a Team). This flag can be used by Team Admins to submit an application for analysis and assign it to a Team for which they're an admin. If the Team name has spaces in it, you will need to use quotes. For example: --team "Team Name"
--vcs-prefix-correction <value>Provide filepath modifications so the Source Code View reflects your repo structure
--waitSHIFTLEFT_WAIT=trueWait for Qwiet AI Core (SAST and container scanning) to finish analysis before returning control of the CLI

Language-specific command options

sl analyze --app <name> --c </path/to/code>
OptionEnvironment variableDescription
--cSHIFTLEFT_LANG_C=trueAnalyze an application written in C/C++