This article shows you how to analyze your applications that are written in Java using NG SAST. It assumes that you have already set up and authenticated with ShiftLeft.


  • NG SAST supports the analysis of applications written in Java 7 through Java 11. We offer partial support for apps written in Java 14 and 15 (please reach out to ShiftLeft for additional details).
  • Your build environment must have at least 16 GB of memory available.

NG SAST utilizes Java SE Runtime Environment 8; if necessary, you can install using sl update jre.

Building Your Application

NG SAST's code analysis is performed on the compiled application bytecode (not on the source code). As such, you must build your application before you can analyze the application with NG SAST.

Some build tools you might consider include Maven, Gradle, sbt, etc.

Analyzing Your Java Application

To analyze your Java application, run:

sl analyze --app <name> --java [<path-to-JAR/WAR>]
--app <name>The name of the application to be analyzed
--javaThe flag identifying the application's language
<path>The location of the application's .jar or .war file to be analyzed

See the CLI reference for additional sl analyze options.

If you're using a templating framework like JavaServer Pages (JSP), the templates are included in the .jar / .war file analyzed.

Combining Multiple Artifacts for Analysis

You can combine multiple .JAR files for analysis by NG SAST as follows:

sl analyze --app YOUR_APP first.jar --dep second.jar

Note that you can include --dep as many times as needed:

sl analyze --app YOUR_APP first.jar --dep second.jar --dep third.jar --dep fourth.jar


When running code analysis, we recommend using a heap size that includes an additional 20% to ensure that you have sufficient physical memory on your server for other requirements (e.g., Java).

To that end, we recommend setting a process environment variable called SHIFTLEFT_JAVA_OPTS (e.g., SHIFTLEFT_JAVA_OPTS="-Xmx10g") that allows for the running of ShiftLeft to set the heap memory required for your particular application.

CPG Mode

Optionally, you can choose to analyze your application using the Code Property Graph (CPG) mode. With CPG mode, ShiftLeft builds the CPG locally, then uploads it (rather than your application's code) to the ShiftLeft cloud for analysis.

To analyze your application using CPG mode, include the option --cpg in the sl analyze command (e.g., sl analyze --app <name> --java --cpg <path>).

Source Code View

The ShiftLeft Dashboard's findings list can include URLs that, when used, will direct you to the specific source code lines where the vulnerability occurs.

However, to leverage ShiftLeft's source code view with Java applications, you must augment the source code filepaths by passing --vcs-prefix-correction flag to sl analyze. NG SAST uses the byte code, not the source code, for analysis, so you'll need to provide additional information about your filepath structure to ensure that NG SAST generates the links properly.