ShiftLeft CORE extension for VS Code

The ShiftLeft CORE extension allows you to run a pre-commit check to identify secrets in your code and analyze your application for security vulnerabilities.

Language support and requirements

ShiftLeft CORE for VS Code currently:

  • Supports the analysis of JavaScript/TypeScript and Python applications;
  • Requires the use of a workstation running Linux, macOS (with non-M1 processors), or Windows.

Dependencies

Before proceeding with this extension, you must have installed the following dependencies:

  • Node.js if you're scanning JavaScript/TypeScript apps
  • Python if you're scanning Python apps. Note: you must have v3.8 installed in addition to the version that you're using for your application

The extension will automatically download and install the latest version of the ShiftLeft CLI for you. This will not affect the system version of the ShiftLeft CLI (if you have it installed); these two versions will be maintained in parallel.

Ensure that you've added sl and node or python to your system PATH variable.

Installation

To install ShiftLeft CORE for VS Code, obtain the extension by downloading it from the VS Code Marketplace.

ShiftLeft CORE extension in the marketplace

Alternatively, you can download it from VS Code by opening the Extensions pane, searching for ShiftLeft CORE, and clicking Install.

Installing ShiftLeft CORE via the extensions tab

Usage

Step 1: Authenticate your machine

The ShiftLeft CORE for VS Code extension will leverage the information contained in your local ShiftLeft configuration file (created when you installed the ShiftLeft CLI) to authenticate your machine.

To authenticate your newly installed extension:

  1. Click the Connect to ShiftLeft CORE icon in your left-hand navigation bar to begin the process of authenticating with ShiftLeft.

    VS Code overview
  2. Log into Shiftleft when prompted (if necessary, create an account first).

  3. Return to VS Code and verify that your organization and user information are displayed in the top-most window of the left navigation bar.

    User info

Step 2: Open your project

  1. In VS Code, open the project you want scanned by ShiftLeft.

  2. Click the ShiftLeft CORE icon in the left-hand navigation bar to launch the extension.

  3. If prompted, authenticate with ShiftLeft (if you're already authenticated, you'll see your User Profile information displayed instead).

Step 3: Access the extension's functionality via the command palette

You can find all of the ShiftLeft extension's functionality under the Command Palette (open using Command + Shift + P for macOS or Control + Shift + P for Linux/Windows):

OptionDescription
AnalyzeAnalyze your project
ConnectConnect your extension with your ShiftLeft account and organization
Contact SupportLaunch your email client to contact ShiftLeft Support
Fetch Latest Scan ResultsGet latest scan results
Focus on Assigned to Me ViewBring the Assigned to Me view into focus
Focus on Help & Support ViewBring the Help & Support view into focus
Focus on OSS Vulnerabilities ViewBring the OSS Vulnerabilities view into focus
Focus on Project Configuration ViewBring the Focus on Project Configuration view into focus
Focus on Secrets ViewBring the Secrets view into focus
Focus on User Profile ViewBring the User Profile view into focus
Focus on Vulnerabilities ViewBring the Vulnerabilities view into focus
Open DocumentationOpen the documentation for the extension in a new browser window
Open Project ConfigurationOpen the project configuration/settings page
Pre Commit CheckIdentify secrets present in your project
View: Show ShiftLeft COREBrings the extension-related windows into foucs

Example: Run the pre-commit check for secrets

To run the pre-commit check that scans your project for secrets (passwords, API access keys, and other credentials that should not be publically exposed) that you may inadvertently commit to your repository:

  1. Open the project you're interested in scanning.

  2. Open the Command Palette (use Command + Shift + P for macOS or Control + Shift + P for Linux/Windows), search for ShiftLeft CORE: Pre Commit Check, and select this option to begin the analysis.

  3. Your results will appear under Problems. If you don't see this, open it with either Command + Shift + M (macOS) or Control + Shift + M (Linux/Windows).

  4. To see where the secret appears, click on the result to go to the specific code location.

    Secrets identified during pre-commit check

Example: Analyze your application

To scan your application for security vulnerabilities:

  1. Open the project that you're interested in scanning.

  2. Open the Command Palette (use Command + Shift + P for macOS or Control + Shift + P for Linux/Windows), search for ShiftLeft CORE: Analyze, and select this option to begin the analysis. You can see the scan status by launching Output and selecting ShiftLeft CORE: Server Output Channel in the drop-down menu to the right. If you don't see the Output window, launch it using either Command + Shift + U (macOS) or Control + Shift + U (Linux/Windows).

    Server channel output
  3. View your results under Problems when the scan is complete. If you don't see this, open it with either Command + Shift + M (macOS) or Control + Shift + M (Linux/Windows).

  4. To see where a specific issue is in your code, click the item in your results; ShiftLeft will open the file and highlight where the issue you selected is located.

    Vulnerabilities identified during scan

Configuration

You can configure your extension and update your settings by going to Preferences > Settings > Extensions > ShiftLeft CORE.

ShiftLeft CORE extensions settings

Help

Contact the ShiftLeft Customer Success Team for assistance.