This article will show you how to scan the OWASP Juice Shop app with ShiftLeft CORE.
You must have ShiftLeft CORE installed and authenticated.
You must have a copy of the OWASP Juice Shop; you can obtain the latest OWASP Juice Shop app via GitHub. You can clone the repo to your workstation and run ShiftLeft CORE locally, or you can fork the repo and create a GitHub Action that calls ShiftLeft CORE.
Preparing the app for analysis
If you're running ShiftLeft CORE locally, navigate into the Juice Shop folder, then:
npm installand remove
node_modules:npm installrm -rf node_modules
If present, you should also remove any directory that your build produces that ShiftLeft CORE should not include in the analysis (e.g.,
distdirectories):rm -rf frontend/dist frontend/node_modules dist build
If you're integrating ShiftLeft CORE into your deployment pipeline, you'll need to include these instructions explicitly. For example, if you're using GitHub Actions to analyze code changes during the pull request process, you'll include something similar to following in your configuration file:
Analyzing the application
Once you've prepped the app, you'll need to call
sl analyze to begin the code analysis process.
Alternatively, you can use something like GitHub Actions to automate the process
See sl analyze for more information about
sl analyzeand its options.
For Juice Shop, you'll need:
--with-test: Include test files
--include-configs: Include configuration files (e.g.,
--exclude node_modules,frontend/dist,frontend/node_modules,vagrant,dist,data/static,build: Exclude the specified directories during code analysis
Please note that the OWASP Juice Shop app analysis can take 20-30 minutes (or more) to complete.