Access tokens

Use of ShiftLeft CORE's functionality requires you to possess the correct access token. The access tokens issues by ShiftLeft loosely fall into two categories:

  1. Tokens tied to a user: by default, ShiftLeft assigns each user an access token, whose value you can find in the dashboard under Account Settings. The specific permissions granted to the holder of such tokens depend on the role they've been assigned.

  2. Integration tokens: integration tokens are those that users can create to facilitate the integration of ShiftLeft CORE with another product (e.g., inclusion in a CI/CD pipeline, creating Jira issues populated with vulnerability information identified by ShiftLeft CORE, etc.). ShiftLeft allows users with sufficient privileges (typically org owners and super admins) to create such tokens.

Creating tokens

Tokens tied to a user are automatically created by ShiftLeft CORE whenever an org owner/super admin creates a user. The scopes that ShiftLeft assigns to that token depend on the role they've been assigned and are automatically updated if that role changes.

Org owners/super admins can create integration tokens and a general access token via the dashboard) or the /tokens endpoints of the ShiftLeft API.

Token types

The following is a description of the specific token types available, which of the two categories they fall under, and when you should use the specific token type:

Token typesUsage
Personal access tokenAutomatically assigned to the user upon creation. Grants access to most ShiftLeft CORE functionality, though certain actions may be restricted depending on their assigned role (e.g., members may not be able to access as many of the API's endpoints as a power user)
CIUse for integrating ShiftLeft into your CI/CD systems (e.g., Jenkins, CircleCI). CI tokens are not tied to the user; the tokens are tied to the org used to issue them, so admin users can revoke if necessary
GitHubUse for integrating ShiftLeft into your GitHub pull request workflow that leverages GitHub Actions
JiraUse for integrating ShiftLeft CORE with Jira; required by ShiftLeft's plugin
Service tokenOrg owners can create service tokens used only to generate CI tokens for use in CI/CD pipelines. See the Creating service and CI tokens article for a walkthrough of this process
Access tokenFunctionally the same as the personal access token, though it lacks the scopes needed to call the ShiftLeft API. It is generated by org owners using the ShiftLeft API (and can therefore be revoked independently of user management)

Personal access tokens are automatically assigned to each ShiftLeft user. Access tokens are those generated by org owners via the API's /tokens endpoint.

Tokens and their permissions

Personal accessCIGitHubJira integrationAccessService
Check analysis
Modify findings
Jira integration

Tokens with access to teams (e.g., a CI token with org-wide access) may add apps to those teams during during analysis.