This article shows you how to analyze your applications that are written in Go using NG SAST. It assumes that you have already set up and authenticated with ShiftLeft.


NG SAST analyzes only source code written in Go 1.12 (or later), not compiled applications.

You must have the appropriate version of Go installed on the machine on which you're running ShiftLeft.

The VM or the environment you use should support building Go applications correctly. Try building the Go application first using go build (or e.g. make build if you're using a Makefile) command before attempting code analysis.

Analyzing Your Go Application


ShiftLeft offers a sample application that you can use to run and test NG SAST. It also includes a functioning configuration file to demonstrate how you can leverage GitHub Actions to automate code analysis whenever you open a new Pull Request (PR).

To analyze your Go application, run:

sl analyze --app <name> --go --cpg <package>
--app <name>The name of the application to be analyzed
--goThe flag identifying the application's language
--cpgInclude if you want to analyze your application using the Code Property Graph (CPG) mode. With CPG mode, ShiftLeft builds the CPG locally, then uploads the CPG (instead of your application) to the cloud for analysis
<package>The Go package to be analyzed (this is the same argument you'd pass to Go's build command). You can also pass in paths to the individual .go files. If you're executing sl analyze in the package's directory, you can pass in shorthands like . for the package name, or wildcards like ./... if there are multiple subpackages to be selected for analysis

See the CLI reference for additional sl analyze options.

Sample Usage

go build
sl analyze --app shiftleft-go-example --go --cpg .

Using cgo

If your application uses cgo and you're running into problems during analysis, please consider disabling it first for code analysis using the standard CGO_ENABLED switch like so:

CGO_ENABLED=0 sl analyze --app <name> --go --cpg <package>