You must have Node.js installed and added to the
PATH variable of the machine on which NG SAST runs.
Before analyzing your application, please make sure that your code builds correctly with
yarn. However, applications should not be built before invoking ShiftLeft. ShiftLeft automatically installs the project dependencies and builds the project with custom settings that are more suitable for security analysis. Performing
npm build or even
npm install beforehand would prevent ShiftLeft from working correctly; as such, execute ShiftLeft against a fresh copy of your application.
|The name of the application to be analyzed|
|The flag identifying the application's language|
|The flag indicating that NG SAST analyzes your application using the Code Property Graph (CPG) mode|
|The path to the application directory|
See the CLI reference for additional
sl analyze options.
The analysis accepts additional parameters after a double hyphen
package.json in the
|The CPG output file name (defaults to |
|Exclude TypeScript sources from the analysis (by default, NG SAST includes Typescript sources)|
|Exclude Babel sources in the analysis (by default, NG SAST includes Babel sources)|
|Include test files (typically required for sample vulnerable apps, such as OWASP Juice Shop)|
|Include configuration files (e.g., |
|A regex specifying the files to exclude during the analysis (the match is to the absolute file path), e.g., |
|Exclude private modules/dependencies in 'node_modules/' (defaults to |
|Additional private dependencies you would like to be analyzed from |
Scanning Node.js Applications
If your Node.js application either:
- Uses v8.x.x or
- Doesn't include
yarn.lockin the repository
Then there are a couple of additional steps you must take when analyzing your application to ensure that the SCA results you obtain are accurate.
npm installand remove
node_modules:npm installrm -rf node_modules
If present, you should also remove any directory that's produced by the build that should not be included in the analysis (e.g.,
distdirectories):rm -rf frontend/dist frontend/node_modules dist build
Scanning Vue.js Applications
When analyzing a Vue.js application, you must include a
vue.config.js file in the root of your repository, otherwise NG SAST will return no results:
You can see how this file is used in the sample Vue.js repo we offer.