Kotlin (Beta)
This article shows you how to analyze your applications written in Kotlin using NG SAST. It assumes that you have already set up and authenticated with ShiftLeft.
Requirements
NG SAST:
- Only supports the analysis of Android applications written in Kotlin using SDK versions 24 to 30.
- Requires a build environment with at least 16 GB of memory available.
- Utilizes Java SE Runtime Environment 8; if necessary, you can install this by running
sl update jre
.
NG SAST for Kotlin runs on source code and does NOT require the target project to be built beforehand.
Analyzing your Kotlin application
To analyze your Kotlin application, run:
Parameter | Description |
---|---|
--app <name> | The name of the application to be analyzed |
--kotlin | The flag identifying the application's language |
<path> | The location of the application's parent source directory |
See the CLI reference for additional sl analyze
options.
The analysis accepts additional parameters after a double hyphen --
.
Parameter | Description |
---|---|
--classpath <path> | The flag that adds a path to the folder where your dependency jars are (e.g., if your dependency jars are in /tmp jars , you could provide this to sl analyze using --classpath /tmp/jars ). Can be used more than once. |
--download-dependencies | The flag that triggers a download of the project's dependencies using Gradle or Maven |
--gradle-configuration-name <name> | The Gradle configuration name to be used when downloading dependencies. (defaults to releaseCompileClasspath if none provided) |
--gradle-project-name <name> | The Gradle project name to be used when downloading dependencies. (defaults to app if none provided) |
--ignore-path <path> | The flag that adds a path to the list of directories which will be ignored during analyses. Can be used more than once. |
If you would like to use NG SAST to scan non-Android applications written in Kotlin (i.e., backend services) or applications written in both Java and Kotlin, please contact ShiftLeft's customer support team for further assistance.
Dependency management
This Gradle plugin can help you resolve all the dependencies of a project and place them into a single directory (i.e., running ./gradlew gatherDependencies
downloads the jars to build/gatheredDependencies
, which you can then pass to sl analyze
using --classpath build/gatheredDependencies
)
Tagging results with your branch name
To include the branch name in your NG SAST results, allowing you to distinguish one set of results from another, add the following to your invocation of ShiftLeft:
If you're working in a GitHub environment (e.g., GitHub Actions), you can also use --tag branch=${{ github.head_ref }}
to populate your branch name.
If you don't provide a branch name, but ShiftLeft detects one available in your environment, it will use that name.