OWASP Juice Shop
This article will show you how to scan the OWASP Juice Shop app with ShiftLeft CORE.
Prerequisites
You must have ShiftLeft CORE installed and authenticated.
You must have a copy of the OWASP Juice Shop; you can obtain the latest OWASP Juice Shop app via GitHub. You can clone the repo to your workstation and run ShiftLeft CORE locally, or you can fork the repo and create a GitHub Action that calls ShiftLeft CORE.
Preparing the app for analysis
OWASP Juice Shop is a JavaScript/TypeScript app, and analyzing it is similar to analyzing most other JavaScript/TypeScript apps. However, there are several steps that you should take when scanning Node.js apps (of which Juice Shop is one).
If you're running ShiftLeft CORE locally, navigate into the Juice Shop folder, then:
Run
npm install
and removenode_modules
:npm installrm -rf node_modulesIf present, you should also remove any directory that your build produces that ShiftLeft CORE should not include in the analysis (e.g.,
build
ordist
directories):rm -rf frontend/dist frontend/node_modules dist build
If you're integrating ShiftLeft CORE into your deployment pipeline, you'll need to include these instructions explicitly. For example, if you're using GitHub Actions to analyze code changes during the pull request process, you'll include something similar to following in your configuration file:
Analyzing the application
Once you've prepped the app, you'll need to call sl analyze
to begin the code analysis process.
Alternatively, you can use something like GitHub Actions to automate the process
See sl analyze for more information about
sl analyze
and its options.
Note the --
followed by additional flags. For JavaScript/TypeScript apps, ShiftLeft CORE accepts a variety of additional parameters.
For Juice Shop, you'll need:
--with-test
: Include test files--include-configs
: Include configuration files (e.g.,*.conf.js
,*.config.js
,*.json
)--exclude node_modules,frontend/dist,frontend/node_modules,vagrant,dist,data/static,build
: Exclude the specified directories during code analysis
Please note that the OWASP Juice Shop app analysis can take 20-30 minutes (or more) to complete.