Azure DevOps
This article shows you how to integrate ShiftLeft CORE's NG SAST into your Azure DevOps workflow to provide automated code analysis. We provide two sets of instructions based on how you define your Azure pipelines: using YAML syntax or the Classic interface.
- YAML
- Classic
For Azure Pipelines defined using YAML syntax
This tutorial assumes that you have an existing YAML-base Azure Pipeline defined. You will be adding the tasks required to integrate NG SAST to this file.
Step 1: Create your secret variables
You will need to create secret variables to store authentication information for ShiftLeft.
We recommend creating your secret variables using variable groups since this method balances security with ease of deployment across multiple repositories.

However, you could also create your secret variables using:
When creating a variable group, we recommend calling it something like shiftleft-token
. You can then provide your access token as SHIFTLEFT_ACCESS_TOKEN
.
When running in a production environment, we recommend that you use a CI config token as the access token. You can create your CI config token in the ShiftLeft Dashboard.

At this point, you can refer directly to this group in the pipeline's YAML configuration file using the group
property under the variables
section.
Step 2: Add ShiftLeft to your pipeline
You will need to include instructions in your Pipeline to download the ShiftLeft CLI so that the Pipeline can run NG SAST.
If you're running Windows, you can do so using a PowerShell task:
If you're running Linux or macOS, you can use a script task:
Step 3: Invoke NG SAST for code analysis
The following sections will show you how to analyze your Java or C# applications.
When invoking NG SAST, you need to refer to the SHIFTLEFT_ACCESS_TOKEN
variable. As suggested earlier in this article, if you create a variable group, these variables will be available automatically to all of your Pipelines.
Analyzing a Java application
The following examples show how you can build your Java application (which is required before NG SAST can analyze your code), then use the ShiftLeft CLI to invoke NG SAST for code analysis.
Please note that the ShiftLeft CLI requires Java 8 to create the Code Property Graph (CPG) representation of your source code. This is necessary before code analysis unless you are analyzing a project written in C#. If so, you can skip this step.
To set up Java 8, use the Java Tool Installer.
On Windows:
On Linux/macOS:
Analyzing a C# application
The following examples show you how to build your .NET Core application, then use the ShiftLeft CLI to invoke NG SAST for code analysis.
For .NET applications, plass in the .sln file instead of the .csproj file:
To pass additional information to Azure, you can use predefined variables that you then reference in the env
block of your script.
Recursively finding and scanning your solution/project files
The following example shows you how to modify the sl analyze
invocation to recursively find all .sln
files and scan them with ShiftLeft:
Alternatively, you can recursively find and scan all .csproj files if .sln
-based scans are taking too long:
sl check-analysis
in Azure DevOps
Running ShiftLeft's check-analysis
feature allows you to compare your analysis results against a set of build rules you've defined. To use check-analysis
in your Azure DevOps workflow, you must
first enable build vaidation on your branch.