In this article, we will cover what an application is from the perspective of ShiftLeft usage.
ShiftLeft CORE's NG SAST groups its code analysis results on a per-application basis. In short, an application is what you deploy to the production environment. We strongly recommend scanning your application as a whole and avoid scanning libraries (and other individual components) in isolation.
When thinking about where/how you should implement ShiftLeft, consider the following sample use cases:
Monorepos: If you have a single repo with dependencies and individual folders containing libraries, integrate ShiftLeft and scan the repo as usual
Microservices: If you have a microservice repo with dependent libraries that split into multiple repos, then scan only the repo containing the microservice (this should automatically pull in and include the dependent libraries during the code analysis process)
Single-Page Applications: If you have a single-page application built using React.js or Angular that requires multiple private modules and UI components and configuration, scan only the application; do not scan the individual UI components or libraries
Infrastructure: If your repo contains infrastructure code, scan the infrastructure code on a per-environment basis. For example, if your production environment (whose code is stored in prod-repo) uses modules/assets like Amazon S3 (whose code is in repo1) and EC2 (whose code is in repo2), then integrate ShiftLeft with prod-repo only
Scanning applications as a whole instead of scanning individual dependencies, libraries, and so on, improve the efficiency of the code analysis step in your CI/CD pipeline. Furthermore, ShiftLeft’s emphasis on abstracting away individual repos allows NG SAST to focus on securing applications as a whole.