This article includes troubleshooting steps you can use to identify and fix issues that may come up when using ShiftLeft CORE's NG SAST.

General troubleshooting tips

  • Run sl check-environment to see if there are issues related to your environment (be sure to pass in your language-specific option).

  • Create an environment variable called SHIFTLEFT_SHOW_HIDDEN and set it to true to show the hidden flags supported by the ShiftLeft CLI.

  • When running sl analyze, include the --cpg-output-dir flag to specify your CPG output directory. ShiftLeft will place the CPG in this directory after analysis.

  • Get verbose logs for additional information by including the --verbose and/or --diagnostic flags when invoking sl analyze (i.e., sl analyze --verbose --diagnostic).

  • If your scan does not complete or nothing gets uploaded to ShiftLeft:

    • Check that your antivirus/anti-malware program isn't preventing ShiftLeft from performing correctly
    • (For macOS users) Ensure that ShiftLeft can access the necessary directory (e.g., by default, ShiftLeft may not be able to access files in Documents or on the Desktop without explicit permission)

Working with monorepos

Please keep the following in mind when analyzing a monorepo:

  • Depending on the size of your monorepo, you may need to scan individual components of the app (e.g., UI, API, CLI) separately instead of scanning the monorepo as a whole

  • The ShiftLeft CLI accepts only one language at a time, so if your monorepo utilizes multiple components, you must scan each component on a per-language basis (i.e., you cannot scan JavaScript components alongside Python components)

    • While you can run sequential scans, you can also implement parallel scans with a CI system to save time
  • You can use the ShiftLeft Dashboard's app groups functionality to group all of the individual scans for your monorepo so that you can view them simultaneously

For Windows users

On Windows platforms, sl.exe doesn't auto-update. Please begin your code analysis or troubleshooting steps by checking your ShiftLeft version and updating if necessary:

sl.exe --version

Path argument positioning

The path argument used with sl analyze should be the last value. If any other argument follows the path, sl analyze will fail.

The following is an example of an incorrect invocation (notice that the path argument value comes before the --verbose flag):

sl analyze --app js-example --js . --verbose

The correct invocation is:

sl analyze --app js-example --js --verbose .

Specifying additional arguments to sl analyze

The sl cli tool accepts standard arguments, such as --app and --verbose. In addition to this, the CPG generator plugins accept additional arguments for each language. To specify these arguments, you must provide a double hyphen (--), then additional arguments.

For example, you can choose to ignore test and docs directories during analysis of a JavaScript app:

sl analyze --app js-example --js . -* --exclude test,docs

See the language-specific pages for your application for additional information.