This article will show you how to integrate ShiftLeft CORE into your GitHub Pull Request (PR) workflow for automated code analysis using GitHub Actions if your application utilizes multiple programming languages.
Step 1: Create your GitHub secret
GitHub's secrets are encrypted environment variables that protect information while making them available for use in GitHub Actions workflows. They are specific to your GitHub repository. You will use secrets to provide an access token that lets GitHub interact with ShiftLeft.
To create a secret specific to your GitHub repository, go to Settings > Secrets. Click New Secret. You will need to create a secret called
SHIFTLEFT_ACCESS_TOKEN to store your ShiftLeft CI config token.
You can create your CI token in the ShiftLeft Dashboard.
Step 2: Create your GitHub Action and define its workflow
GitHub Actions offers you workflow automation functionality. You can use this to automatically run NG SAST (e.g., when you create a new Pull Request).
To create a new GitHub Action for your repository, click Actions. If this is your first time setting up a GitHub Action, click set up a workflow yourself near the top-left; otherwise, click New workflow, then select set up a workflow yourself.
You will be redirected to a YAML editing window. Rename the file (if desired), and provide the following script to invoke NG SAST.
When done, click Start commit and follow the prompts to commit the file to your repo.
You'll see your newly configured workflow listed under the repository's Actions.
Step 3: Test Your Workflow
At this point, you're done with the configuration steps. You can check whether you successfully set up the GitHub Action by triggering the workflow (e.g., by creating a Pull Request).
You can click Status for additional details about the workflow's progress:
When done, you can see a summary of NG SAST's results on the PR:
You can get full details regarding the analysis from the ShiftLeft Dashboard.