Use the default policy with best practices

ShiftLeft offers a variation of the default policy with sensitive data dictionary that includes best practices. With this policy, ShiftLeft will show findings that are violations of best practices violations and attacker-reachable findings.

For example, one such finding might be a SQL injection vulnerability involving a string append operation that isn't attacker reachable. Another might involve code that dynamically generates SQL statements. These finding would be shown in the ShiftLeft Dashboard and flagged as info.

Usage

To use this policy, modify your invocation of sl analyze to include the --policy flag and the name of the policy as follows:

sl analyze --policy io.shiftleft/defaultWithDictAndBestPractices --app yourAppName ...

The use of this policy will likely increase the number of findings for your app, and it may slow down the speed of analysis.