This article shows you how to analyze your applications that are written in Scala using NG SAST. It assumes that you have already set up and authenticated with ShiftLeft.


NG SAST supports the analysis of applications written in Scala 2.12 (or later).

Building Your Application

NG SAST's code analysis is performed on compiled application bytecode (not on source code) and the code analysis process includes a build of your application. As such, you must build your application before you can analyze the application with NG SAST.

Some build tools you might consider include Maven, Gradle, sbt, etc.

Analyzing Your Scala Application

To analyze your Scala application, run:

sl analyze --app <name> --java [<path>]
--app <name>The name of the application to be analyzed
--javaThe flag identifying the application's language
<path>The location of the application's .jar / .war file to be analyzed

See the CLI reference for additional sl analyze options.

CPG Mode

Optionally, you can choose to analyze your application using the Code Property Graph (CPG) mode. With CPG mode, ShiftLeft builds the CPG locally, then uploads it (rather than your application's code) to the ShiftLeft cloud for analysis.

To analyze your application using CPG mode, include the option --cpg in the sl analyze command (e.g., sl analyze --app <name> --java --cpg <path>).

Source Code View

The ShiftLeft Dashboard's findings list can include URLs that, when used, will direct you to the specific source code lines where the vulnerability occurs.

However, to leverage ShiftLeft's source code view with Scala applications, you must augment the source code filepaths. NG SAST uses the byte code, not the source code, for analysis, so you'll need to provide additional information about your filepath structure to ensure that NG SAST generates the links properly.