What is an application?

In this article, we will cover what an application is from the perspective of ShiftLeft usage.

ShiftLeft CORE's NG SAST groups its code analysis results on a per-application basis. In short, an application is what you deploy to the production environment. We strongly recommend scanning your application as a whole and avoid scanning libraries (and other individual components) in isolation.

Examples

When thinking about where/how you should implement ShiftLeft, consider the following sample use cases:

  • Monorepos: If you have a single repo with dependencies and individual folders containing libraries, integrate ShiftLeft and scan the repo as usual. However, depending on the complexity of your monorepo and the number of languages that you use, you may need to split up your monorepo and analyze individual components (e.g., you might analyze your JavaScript components separately from your Python components)

  • Microservices: If you have a microservice repo with dependent libraries that split into multiple repos, then scan only the repo containing the microservice (this should automatically pull in and include the dependent libraries during the code analysis process)

  • Single-page applications: If you have a single-page application built using React.js or Angular that requires multiple private modules and UI components and configuration, scan only the application; do not scan the individual UI components or libraries

  • Infrastructure: If your repo contains infrastructure code, scan the infrastructure code on a per-environment basis. For example, if your production environment (whose code is stored in prod-repo) uses modules/assets like Amazon S3 (whose code is in repo1) and EC2 (whose code is in repo2), then integrate ShiftLeft with prod-repo only

Summary

Scanning applications as a whole instead of scanning individual dependencies, libraries, etc., improve the efficiency of the code analysis step in your CI/CD pipeline. Furthermore, ShiftLeft's emphasis on abstracting away individual repos allows NG SAST to focus on securing applications as a whole.