This article shows you how to analyze your applications that are written in Python using NG SAST.
You must have:
- Set up and authenticated with ShiftLeft
- Set up Python 3.8 (regardless of which version of Python your app uses) and make sure
python3.8is available in your PATH.
- Set up the
python3.8-venvpackage (Linux only)
NG SAST only supports applications written using Python 3.8 or earlier.
The build agent should have Python 3.8 set up and support the creation of Python virtual environments.
ShiftLeft's Python analyzer attempts to gather as much information about your project as possible to achieve a high level of accuracy. As such, it expects an environment set up close to the one you have for running your project. This means that the Python interpreter must find all of the project's dependencies set up in one of the directories of its module search path. The most straightforward way to do this is to create a virtual environment and install the project's dependencies in it.
ShiftLeft supports setups that do not use virtual environments as long as the Python interpreter can find the dependencies in its search path. You can specify additional directories to look for dependencies using the
Additionally, the Python analyzer goes through your project's files and modules in a way that's similar to the Python interpreter. This process is crucial for gathering important information and can be fragile for certain setups. If the analyzer cannot follow one of the imports in your project, the analysis will proceed, but the files related to the import may not be included in the resulting analysis. As such, NG SAST may not detect security vulnerabilities related to these files. To receive a complete analysis possible, include the
Analyzing Your Python Application
ShiftLeft offers a sample application that you can use to run and test NG SAST. It also includes a functioning configuration file to demonstrate how you can leverage GitHub Actions to automate code analysis whenever you open a new Pull Request (PR).
We also offer samples for GitLab integration, as well as configurations for Docker, Linux, macOS, and Windows.
Before running code analysis, please run
pip install and make sure this is successful.
On macOS and in some Linux environments,
python may be using version 2 instead of version 3. If so, use
To analyze your Python application:
|The name of the application to be analyzed|
|The flag identifying the application as written in Python|
|The path to the Python app to be analyzed|
The analysis accepts additional parameters after a double hyphen
For example, the following CLI invocation ignores the
dev-folder directory and all directories named
experiments and adds a new entry to Python's module search path:
|Include additional module search paths in the analysis|
|Requires that all of the project's module paths can be followed for analysis to proceed|
|Ignores the specified paths from the analysis|
|Excludes all matching directories from the analysis. You must provide the exact directory name|
Such parameters, if valid, are passed directly to the Python plugin.
To provide an additional module search path for the analysis:
To specify that the analysis should only continue if all the project's modules can be followed:
To ignore specific paths from the analysis:
To ignore specific directory names from the analysis:
To enable detailed logging of the analysis in case of troubleshooting:
See the CLI reference for additional
sl analyze options.