OWASP Juice Shop

This article will show you how to scan the OWASP Juice Shop app with ShiftLeft CORE.

Prerequisites

You must have ShiftLeft CORE installed and authenticated.

You must have a copy of the OWASP Juice Shop; you can obtain the latest OWASP Juice Shop app via GitHub. You can clone the repo to your workstation and run ShiftLeft CORE locally, or you can fork the repo and create a GitHub Action that calls ShiftLeft CORE.

Preparing the app for analysis

OWASP Juice Shop is a JavaScript/TypeScript app, and analyzing it is similar to analyzing most other JavaScript/TypeScript apps. However, there are several steps that you should take when scanning Node.js apps (of which Juice Shop is one).

If you're running ShiftLeft CORE locally, navigate into the Juice Shop folder, then:

  1. Run npm install and remove node_modules:

    npm install
    rm -rf node_modules

  2. If present, you should also remove any directory that your build produces that ShiftLeft CORE should not include in the analysis (e.g., build or dist directories):

    rm -rf frontend/dist frontend/node_modules dist build

If you're integrating ShiftLeft CORE into your deployment pipeline, you'll need to include these instructions explicitly. For example, if you're using GitHub Actions to analyze code changes during the pull request process, you'll include something similar to following in your configuration file:

- name: Repo prep for JS apps
run: |
npm install
rm -rf node_modules
rm -rf frontend/dist frontend/node_modules dist build

Analyzing the application

Once you've prepped the app, you'll need to call sl analyze to begin the code analysis process.

sl analyze --app juice-shop-training --js . \
-- --with-tests --include-configs --exclude node_modules,frontend/dist,frontend/node_modules,vagrant,dist,data/static,build

Alternatively, you can use something like GitHub Actions to automate the process

See sl analyze for more information about sl analyze and its options.

Note the -- followed by additional flags. For JavaScript/TypeScript apps, ShiftLeft CORE accepts a variety of additional parameters.

For Juice Shop, you'll need:

  • --with-test: Include test files
  • --include-configs: Include configuration files (e.g., *.conf.js, *.config.js, *.json)
  • --exclude node_modules,frontend/dist,frontend/node_modules,vagrant,dist,data/static,build: Exclude the specified directories during code analysis

Please note that the OWASP Juice Shop app analysis can take 20-30 minutes (or more) to complete.