This article shows you how to analyze your applications written in JavaScript or TypeScript (including those that use the Angular, React.js, and Vue.js frameworks) using NG SAST. It assumes that you have already set up and authenticated with ShiftLeft.


ShiftLeft offers sample applications that you can use to run and test NG SAST. They also include functioning configuration files to demonstrate how you can leverage GitHub Actions to automate code analysis whenever you open a new Pull Request (PR).


You must have Node.js installed and added to the PATH variable of the machine on which NG SAST runs.

Before analyzing your application, please make sure that your code builds correctly with npm or yarn. However, applications should not be built before invoking ShiftLeft. ShiftLeft automatically installs the project dependencies and builds the project with custom settings that are more suitable for security analysis. Performing npm build or even npm install beforehand would prevent ShiftLeft from working correctly; as such, execute ShiftLeft against a fresh copy of your application.

Analyzing Your JavaScript Application

To analyze your JavaScript application, run:

# Ensure node_modules does not exist
sl analyze --app <name> --js --cpg [<path>]
--app <name>The name of the application to be analyzed
--jsThe flag identifying the application's language
--cpgThe flag indicating that NG SAST analyzes your application using the Code Property Graph (CPG) mode
<path>The path to the application directory

See the CLI reference for additional sl analyze options.

JavaScript Vulnerabilities

Additional Parameters

The analysis accepts additional parameters after a double hyphen --.

For example, the following ignores minified JavaScript sources in the analysis and uses a custom package.json in the config sub-directory:

sl analyze --app Xyz --cpg --js /path/to/my/typescript-project -- --ignore-minified --package-json /path/to/my/typescript-project/config/package.json

Such parameters, if valid, are passed directly to the JavaScript plugin.

--package-json <path>The custom path to package.json (by default, NG SAST looks for the file in the JavaScript project directory)
--output <value>The CPG output file name (defaults to if none provided)
--no-tsExclude TypeScript sources from the analysis (by default, NG SAST includes Typescript sources)
--no-babelExclude Babel sources in the analysis (by default, NG SAST includes Babel sources)
--include-minifiedInclude minified Javascript sources (e.g., filenames ending with -min.js or .min.js) in the analysis (by default, NG SAST excludes all such sources)
--include-testsInclude test files (typically required for sample vulnerable apps, such as OWASP Juice Shop)
--include-configsInclude configuration files (e.g., *.conf.js, *.config.js, *.json`). Usually required for OWASP juice shop and other vulnerable apps
--exclude <path-1>,<path-2>,...Exclude the specified directories during code analysis; the path provided can be a full path or a relative path to the JavaScript project directory
--exclude-regex <value>A regex specifying the files to exclude during the analysis (the match is to the absolute file path), e.g., --exclude-regex ".*([-.])min\\.js" or `--exclude-regex ".*.(spec
--exclude-private-depsExclude private modules/dependencies in 'node_modules/' (defaults to false)
--private-deps-ns <dep1>,<dep2>,...Additional private dependencies you would like to be analyzed from node_modules
Angular Vulnerabilities

Scanning Node.js Applications

If your Node.js application either:

  1. Uses v8.x.x or
  2. Doesn't include package-lock.json or yarn.lock in the repository

Then there are a couple of additional steps you must take when analyzing your application to ensure that the SCA results you obtain are accurate.

  1. Run npm install and remove node_modules:

    npm install
    rm -rf node_modules
  2. If present, you should also remove any directory that's produced by the build that should not be included in the analysis (e.g., build or dist directories):

    rm -rf frontend/dist frontend/node_modules dist build

Scanning Vue.js Applications

When analyzing a Vue.js application, you must include a vue.config.js file in the root of your repository, otherwise NG SAST will return no results:

module.exports = {
configureWebpack: (config) => {
config.devtool = 'source-map'

You can see how this file is used in the sample Vue.js repo we offer.