Kotlin (Beta)

This article shows you how to analyze your applications written in Kotlin using NG SAST. It assumes that you have already set up and authenticated with ShiftLeft.



  • Only supports the analysis of Android applications written in Kotlin using SDK versions 24 to 30.
  • Requires a build environment with at least 16 GB of memory available.
  • Utilizes Java SE Runtime Environment 8; if necessary, you can install this by running sl update jre.

NG SAST for Kotlin runs on source code and does NOT require the target project to be built beforehand.

Analyzing your Kotlin application

To analyze your Kotlin application, run:

sl analyze --app <name> --kotlin <path>
--app <name>The name of the application to be analyzed
--kotlinThe flag identifying the application's language
<path>The location of the application's parent source directory

See the CLI reference for additional sl analyze options.

The analysis accepts additional parameters after a double hyphen --.

sl analyze --app <name> --kotlin [<path>] -- --download-dependencies --ignore-path <path>
--classpath <path>The flag that adds a path to the folder where your dependency jars are (e.g., if your dependency jars are in /tmp jars, you could provide this to sl analyze using --classpath /tmp/jars). Can be used more than once.
--download-dependenciesThe flag that triggers a download of the project's dependencies using Gradle or Maven
--gradle-configuration-name <name>The Gradle configuration name to be used when downloading dependencies. (defaults to releaseCompileClasspath if none provided)
--gradle-project-name <name>The Gradle project name to be used when downloading dependencies. (defaults to app if none provided)
--ignore-path <path>The flag that adds a path to the list of directories which will be ignored during analyses. Can be used more than once.

If you would like to use NG SAST to scan non-Android applications written in Kotlin (i.e., backend services) or applications written in both Java and Kotlin, please contact ShiftLeft's customer support team for further assistance.

Dependency management

This Gradle plugin can help you resolve all the dependencies of a project and place them into a single directory (i.e., running ./gradlew gatherDependencies downloads the jars to build/gatheredDependencies, which you can then pass to sl analyze using --classpath build/gatheredDependencies)

Tagging results with your branch name

To include the branch name in your NG SAST results, allowing you to distinguish one set of results from another, add the following to your invocation of ShiftLeft:

sl analyze --tag branch=`git symbolic-ref --short HEAD`

If you're working in a GitHub environment (e.g., GitHub Actions), you can also use --tag branch=${{ github.head_ref }} to populate your branch name.

If you don't provide a branch name, but ShiftLeft detects one available in your environment, it will use that name.