Analyzing GitHub Repositories using NG SAST

This article will walk you through setting up automated code analysis using NextGen Static Analysis (NG SAST) for a GitHub repository.

Prerequisite: Register for a ShiftLeft Account

If you haven't already, register for a ShiftLeft account.

You will be prompted to create an organization. Provide a name for your organization and click Create Organization to proceed.

Step 1: Provide Access to Your GitHub Repositories

Log in to ShiftLeft, and click Add App.

ShiftLeft will ask if you'd like to grant access to just your public repositories or both your public and private repositories.

Select repository type(s) to include

You'll then need to provide ShiftLeft with permission to access your GitHub repositories.

Authorize access to GitHub

Step 2: Choose the Repository to Analyze

At this point you can choose to:

  1. Try out the ShiftLeft workflow using the demo repo in the language of your choice
  2. Select one of your repositories for code analysis.
Repo choices
note

As part of the workflow, ShiftLeft will be creating a GitHub Action on your behalf. Depending on your usage level, you may incur charges for your use of GitHub Actions. You will be fully responsible for such charges.

To try out the ShiftLeft workflow using the demo repo, click the box corresponding to the language of your choice. This will result in ShiftLeft analyzing a repo in the chosen language.

Choose the demo repo to analyze

Click Next in the top left to proceed.

You'll be redirected to the Demo Workflow Setup screen, which shows you ShiftLeft's progress in setting up your sample app.

When done, you'll be able to see the steps ShiftLeft took, as well as a link to view your demo app. Click See Demo App to proceed.

Setting up the demo app

This redirects you to the Applications View, which shows a full list of all apps associated with your ShiftLeft account. It may take some time for ShiftLeft to analyze the demo repo and return the results.

Applications with completed scans

When you no longer see any status bars indicating that a scan is in progress, click anywhere on the application row to launch the app-specific summary page.

Application summary

Step 3: Merge the GitHub Pull Request (Optional)

As part of the workflow setup process, ShiftLeft created an open Pull Request (PR) in your repository (regardless of whether you used a demo repository or your own repository). The PR adds a YAML file (found under /.github/workflows/shiftleft.yml) to your repo that uses GitHub Actions to execute NG SAST on all future PRs opened.

GitHub PR

If you used a demo repo, you do not have to merge the PR created by ShiftLeft unless you are interested in modifying the behavior defined in the YAML file.

Similarly, if you provided a repository you own for analysis, you must merge the PR if you would like to continue having ShiftLeft analyze your repo. You can also modify the YAML file to further customize the GitHub Action's behavior.