Use of ShiftLeft CORE's functionality requires you to possess the correct access token. The access tokens issues by ShiftLeft loosely fall into two categories:
Tokens tied to a user: by default, ShiftLeft assigns each user an access token, whose value you can find in the dashboard under Account Settings. The specific permissions granted to the holder of such tokens depend on the role they've been assigned.
Integration tokens: integration tokens are those that users can create to facilitate the integration of ShiftLeft CORE with another product (e.g., inclusion in a CI/CD pipeline, creating Jira issues populated with vulnerability information identified by ShiftLeft CORE, etc.). ShiftLeft allows users with sufficient privileges (typically org owners and super admins) to create such tokens.
Tokens tied to a user are automatically created by ShiftLeft CORE whenever an org owner/super admin creates a user. The scopes that ShiftLeft assigns to that token depend on the role they've been assigned and are automatically updated if that role changes.
The following is a description of the specific token types available, which of the two categories they fall under, and when you should use the specific token type:
|Personal access token||Automatically assigned to the user upon creation. Grants access to most ShiftLeft CORE functionality, though certain actions may be restricted depending on their assigned role (e.g., members may not be able to access as many of the API's endpoints as a power user)|
|CI||Use for integrating ShiftLeft into your CI/CD systems (e.g., Jenkins, CircleCI). CI tokens are not tied to the user; the tokens are tied to the org used to issue them, so admin users can revoke if necessary|
|GitHub||Use for integrating ShiftLeft into your GitHub pull request workflow that leverages GitHub Actions|
|Jira||Use for integrating ShiftLeft CORE with Jira; required by ShiftLeft's plugin|
|Service token||Org owners can create service tokens used only to generate CI tokens for use in CI/CD pipelines. See the Creating service and CI tokens article for a walkthrough of this process|
|Access token||Functionally the same as the personal access token, though it lacks the scopes needed to call the ShiftLeft API. It is generated by org owners using the ShiftLeft API (and can therefore be revoked independently of user management)|
Personal access tokens are automatically assigned to each ShiftLeft user. Access tokens are those generated by org owners via the API's
Tokens and their permissions
|Personal access||CI||GitHub||Jira integration||Access||Service|
Tokens with access to teams (e.g., a CI token with org-wide access) may add apps to those teams during during analysis.