This article shows you how to analyze your applications that are written in Scala using NG SAST. It assumes that you have already set up and authenticated with ShiftLeft.


NG SAST supports the analysis of applications written in Scala 2.12 (or later).

SCA: To identify open-source vulnerabilities in Java/Scala applications, ShiftLeft CORE requires one of the following package formats: Maven (pom.xml), Gradle (build.gradle, .kts), Scala (SBT)

Building your application

NG SAST's code analysis is performed on compiled application bytecode (not on source code), and the code analysis process includes a build of your application. As such, you must build your application before analyzing the application with NG SAST.

Some build tools you might consider include Maven, Gradle, sbt, etc.

Analyzing your Scala application

To analyze your Scala application, run:

sl analyze --app <name> --java [<path>]
--app <name>The name of the application to be analyzed
--javaThe flag identifying the application's language
<path>The location of the application's .jar / .war file to be analyzed

See the CLI reference for additional sl analyze options.


To identify open-source vulnerabilities, ShiftLeft CORE automatically searches for build manifests in the directory from which you run sl analyze (while you must provide the packaged artifact or the project pacakge, ShiftLeft CORE assumes that the directory from which you run sl analyze is the directory that contains the application's source code).

Depending on how your project repo is structured, you may need to provide the following configuration options so that ShiftLeft CORE can identify where your dependencies are located:

Configuration optionDescription
--oss-project-dir <project-path>The (non-default) location where projects are defined
--oss-subproject <subproject-name>For sbt projects only: collect open-source package information only from a specific subproject. This flag should only be used for complex monorepos/multi-project builds

Tagging results with your branch name

To include the branch name in your NG SAST results, allowing you to distinguish one set of results from another, add the following to your invocation of ShiftLeft:

sl analyze --tag branch=`git symbolic-ref --short HEAD`

If you're working in a GitHub environment (e.g., GitHub Actions), you can also use --tag branch=${{ github.head_ref }} to populate your branch name.

If you don't provide a branch name, but ShiftLeft detects one available in your environment, it will use that name.

Source code view

The ShiftLeft Dashboard's findings list can include URLs that, when used, will direct you to the specific source code lines where the vulnerability occurs.

However, to leverage ShiftLeft's source code view with Scala applications, you must augment the source code filepaths. NG SAST uses the byte code, not the source code, for analysis, so you'll need to provide additional information about your filepath structure to ensure that NG SAST generates the links properly.