ShiftLeft CORE extension for VS Code
The ShiftLeft CORE extension allows you to run a pre-commit check to identify secrets in your code and analyze your application for security vulnerabilities.
Language support and requirements
ShiftLeft CORE for VS Code currently:
- Supports the analysis of JavaScript/TypeScript and Python applications;
- Requires the use of a workstation running Linux, macOS (with non-M1 processors), or Windows.
Dependencies
Before proceeding with this extension, you must have installed the following dependencies:
- Node.js if you're scanning JavaScript/TypeScript apps
- Python if you're scanning Python apps. Note: you must have v3.8 installed in addition to the version that you're using for your application
The extension will automatically download and install the latest version of the ShiftLeft CLI for you. This will not affect the system version of the ShiftLeft CLI (if you have it installed); these two versions will be maintained in parallel.
Ensure that you've added
slandnodeorpythonto your systemPATHvariable.
Installation
To install ShiftLeft CORE for VS Code, obtain the extension by downloading it from the VS Code Marketplace.
Alternatively, you can download it from VS Code by opening the Extensions pane, searching for ShiftLeft CORE, and clicking Install.
Usage
Step 1: Authenticate your machine
The ShiftLeft CORE for VS Code extension will leverage the information contained in your local ShiftLeft configuration file (created when you installed the ShiftLeft CLI) to authenticate your machine.
To authenticate your newly installed extension:
Click the Connect to ShiftLeft CORE icon in your left-hand navigation bar to begin the process of authenticating with ShiftLeft.
Log into Shiftleft when prompted (if necessary, create an account first).
Return to VS Code and verify that your organization and user information are displayed in the top-most window of the left navigation bar.
Step 2: Open your project
In VS Code, open the project you want scanned by ShiftLeft.
Click the ShiftLeft CORE icon in the left-hand navigation bar to launch the extension.
If prompted, authenticate with ShiftLeft (if you're already authenticated, you'll see your User Profile information displayed instead).
Step 3: Access the extension's functionality via the command palette
You can find all of the ShiftLeft extension's functionality under the Command Palette (open using Command + Shift + P for macOS or Control + Shift + P for Linux/Windows):
| Option | Description |
|---|---|
| Analyze | Analyze your project |
| Connect | Connect your extension with your ShiftLeft account and organization |
| Contact Support | Launch your email client to contact ShiftLeft Support |
| Fetch Latest Scan Results | Get latest scan results |
| Focus on Assigned to Me View | Bring the Assigned to Me view into focus |
| Focus on Help & Support View | Bring the Help & Support view into focus |
| Focus on OSS Vulnerabilities View | Bring the OSS Vulnerabilities view into focus |
| Focus on Project Configuration View | Bring the Focus on Project Configuration view into focus |
| Focus on Secrets View | Bring the Secrets view into focus |
| Focus on User Profile View | Bring the User Profile view into focus |
| Focus on Vulnerabilities View | Bring the Vulnerabilities view into focus |
| Open Documentation | Open the documentation for the extension in a new browser window |
| Open Project Configuration | Open the project configuration/settings page |
| Pre Commit Check | Identify secrets present in your project |
| View: Show ShiftLeft CORE | Brings the extension-related windows into foucs |
Example: Run the pre-commit check for secrets
To run the pre-commit check that scans your project for secrets (passwords, API access keys, and other credentials that should not be publically exposed) that you may inadvertently commit to your repository:
Open the project you're interested in scanning.
Open the Command Palette (use Command + Shift + P for macOS or Control + Shift + P for Linux/Windows), search for ShiftLeft CORE: Pre Commit Check, and select this option to begin the analysis.
Your results will appear under Problems. If you don't see this, open it with either Command + Shift + M (macOS) or Control + Shift + M (Linux/Windows).
To see where the secret appears, click on the result to go to the specific code location.
Example: Analyze your application
To scan your application for security vulnerabilities:
Open the project that you're interested in scanning.
Open the Command Palette (use Command + Shift + P for macOS or Control + Shift + P for Linux/Windows), search for ShiftLeft CORE: Analyze, and select this option to begin the analysis. You can see the scan status by launching Output and selecting ShiftLeft CORE: Server Output Channel in the drop-down menu to the right. If you don't see the Output window, launch it using either Command + Shift + U (macOS) or Control + Shift + U (Linux/Windows).
View your results under Problems when the scan is complete. If you don't see this, open it with either Command + Shift + M (macOS) or Control + Shift + M (Linux/Windows).
To see where a specific issue is in your code, click the item in your results; ShiftLeft will open the file and highlight where the issue you selected is located.
Configuration
You can configure your extension and update your settings by going to Preferences > Settings > Extensions > ShiftLeft CORE.
Help
Contact the ShiftLeft Customer Success Team for assistance.