Settings

The settings tab of the application details section allows you to:

  • Set a default branch for your application;
  • Configure the version control integration, which allows you to review the affected source code corresponding to the finding.
The ShiftLeft dashboard's Settings tab

Default branches

For each application that you scan with ShiftLeft CORE, you can set a default branch—setting a default branch essentially "pins" a branch so that the scan information for that branch displays whenever you open up an application in the dashboard.

If you do not have a default branch selected, ShiftLeft will display information for the latest scan of that application, regardless of branch.

Set a default branch

To set your default branch:

  1. Log into ShiftLeft and navigate into the application of interest.
  2. In the menu bar, click Settings.
  3. Under Default Branch, use the drop-down menu to select the branch you want to be your default.
  4. Click Set Branch to save your changes.

Default branches are set per user; the default branch for one ShiftLeft user may differ from that of another ShiftLeft user, even though they're working with the same application.

Version control integration

For each application whose code is analyzed and results are tracked by ShiftLeft, the dashboard allows you to view the source code location where ShiftLeft identified a vulnerability. In other words, ShiftLeft can provide URLs that, when used, will direct you to the specific source code lines where the vulnerability occurs.

Background

By default, ShiftLeft attempts to infer the correct URL schema automatically. For example, if you run ShiftLeft CORE from a directory that's also a Git repo, ShiftLeft automatically attempts to read the URL of the remote contained in the Git metadata. This URL informs the UI regarding hyperlink behavior.

However, if you are:

  • Running ShiftLeft from a directory that's not a Git repository
  • Using a version control system that does not follow the URL conventions of GitHub, GitLab, or Bitbucket

You can provide the modifications necessary so that ShiftLeft can show you where your code-specific vulnerabilities can be found.

Configuring the version control integration

Under Settings, click Configure VCS URL.

To integrate your version control system with ShiftLeft, provide your application's source code URL. ShiftLeft offers a series of templates based on the version control system you use to format the URL correctly:

VCSTemplate
GitHubhttps://github.com/{repo_user}/{repo_name}/blob/{ref}/{repo_path}/{file_path}#L{line_from}-L{line_to}
GitLabhttps://gitlab.com/{repo_user}/{repo_name}/blob/{ref}/{repo_path}/{file_path}#L{line_from}-L{line_to}
Bitbuckethttps://bitbucket.org/{repo_user}/{repo_name}/{repo_path}/{file_path}#lines-{line_from},{line_to}
Customhttps://{repo_host}/{repo_user}/{repo_name}/{repo_path}/{file_path}/{file_path}#L{line_from}-L{line_to}
The version control integration panel in the ShiftLeft dashboard

Notes:

  • You can append _escaped to any of these placeholders (i.e., {file_path_escaped}), which escapes the values for URL queries.
  • You can use {commit_or_ref} instead of {ref}. If so, the placeholder will be replaced with the commit hash if available (otherwise, it will be replaced with ref). However, some version control systems may not accept this value since the commit hash may correspond only to a local copy.

Once you've provided the URL to your source code, click Save VCS URL. At this point, your dataflow information contains active hyperlinks that will lead you to where the identified vulnerability is in the source code.

Editing your VCS URL

You can change the URL or see the templates again at any time by clicking Edit URL after the initial configuration.

Modifying the source code file paths used

If your repo's file structure doesn't match the predefined templates ShiftLeft CORE uses, you can provide modifications when running sl analyze.

The --vcs-prefix-correction flag allows you to append information to create the correct file paths for your code:

sl analyze <parameters omitted> --vcs-prefix-correction "prefixToMatch=prefixToAdd"

Sample usage / usage notes

If you include the following flag when running sl analyze...:

--vcs-prefix-correction "/io/shiftleft=/path/prefix/to"

ShiftLeft CORE will find all instances of /io/shiftleft and prepend /path/prefix/to to form /path/prefix/to/io/shiftleft.

You can include as many --vcs-prefix-correction flags as necessary, but each prefix is mutually exclusive (the exception is if you use *). So, if you run:

sl analyze ... --vcs-prefix-correction "*=/src/main" --vcs-prefix-correction "/io/shiftleft=/path/prefix/to"

Then ShiftLeft CORE converts:

  • /com/shiftleft/utils into /src/main/com/shiftleft/utils
  • /io/shiftleft/stream/utils into /src/main/path/prefix/to/io/shiftleft/stream/utils

The * is a special case that means "prefix all" and will be applied with any other prefixes you supply; it is not a wildcard. So, if you use *=/src/main, ShiftLeft CORE will add /src/main to the start of all your file paths.

Inferences

ShiftLeft CORE may infer version control information and provide links based on the running containers' environment variables.

For example, if the GITHUB_RUN_ID is present, ShiftLeft CORE assumes that you're running ShiftLeft CORE against a GitHub repo via GitHub Actions. Alternatively, if you're running ShiftLeft CORE using Jenkins, the GIT_URL or GITHUB_REPO_GIT_URL plus BRANCH_NAME, GIT_LOCAL_BRANCH, or GIT_BRANCH provides branch-related information.

However, ShiftLeft CORE supports the use of the following environment variables; if you set any of these, they will be used instead of the values that ShiftLeft CORE inferred from your run environment. Note that these values are inferred using the information available on a per-scan basis (and not per project).

  • SL_VCS_TEMPLATE: A custom VCS template (e.g., formula to use to determine how ShiftLeft CORE creates your VCS links such as https://{repo_host}/{repo_user}/{repo_name}/blob/{ref}/{repo_path}/{file_path}#L{line_from}-L{line_to})
  • SL_VCS_REPO_NAME: The custom name to be used as your repository name
  • SL_VCS_USER_NAME: The custom username you want to be used (can be an organization name)
  • SL_VCS_COMMIT_ID: The commit ID you want ShiftLeft CORE to use
  • SL_VCS_BRANCH_REF: The branch reference you would like ShiftLeft CORE to use
  • SL_VCS_RELATIVE_PATH: The relative path between the root of your repository and the project that you're analyzing (e.g., the path between the root github.com/yourOrg/monorepo and the app being scanned github.com/yourOrg/monorepo/java/apps/appScanned)
  • SL_VCS_ORIGIN_URL: A custom upstream URL

For Azure users

When setting up VCS in the dashboard, select a Custom URL template and use the following:

https://dev.azure.com/<YOUR_AZURE_ORG>/<YOUR_PROJECT_NAME>/_git/<YOUR_REPO_NAME>?path={file_path_escaped}&version=GB{commit_or_ref}&line={line_from}&lineEnd={line_to}&lineStartColumn=1&lineEndColumn=1&lineStyle=plain&_a=contents

Be sure to replace <YOUR_AZURE_ORG>, <YOUR_PROJECT_NAME>, and <YOUR_REPO_NAME> with your values.