AWS Code Build

This article shows you how to integrate ShiftLeft CORE's NG SAST into your AWS CodeBuild workflow to provide automated code analysis.


  • You must have an Amazon Web Services account to proceed. During the registration process, Amazon will ask you to provide your billing information in case you exceed the Free Tier Usage Limits. ShiftLeft is not responsible for any usage costs you may incur by setting up and using this integration.

  • You can store your source code in any of the four options, but for this tutorial, we will proceed with our HelloShiftLeft sample app source code in GitHub.

Step 1: Create the buildspec file

In the root of your repository, create a buildspec file, that contains the build commands and related settings that CodeBuild uses to run a build. The following is a sample configuration file that you can modify and include:

version: 0.2
java: corretto8
- echo Entering the install phase...
- echo Exiting the dependency install phase...
- echo Downloading the ShiftLeft CLI...
- curl > $HOME/sl && chmod a+rx $HOME/sl
- echo Downloaded ShiftLeft...
- echo Entering the maven build process...
- mvn clean package
- echo Exiting the maven build process...
- echo Starting code analysis with NG SAST...
- $HOME/sl analyze --app HelloShiftLeft --wait --java target/hello-shiftleft-0.0.1.jar
- echo Ran NG SAST on your code
- target/hello-shiftleft-0.0.1.jar

This example uses the corretto8 image; if you opt for a different image, please refer to the information in Prerequisites to ensure that your image is compatible with ShiftLeft CORE.

Step 2: Create the build project

  1. Sign in to the AWS Console and open CodeBuild. If this is the first time, you may be asked to choose an AWS Region where CodeBuild is supported; any option is acceptable.

  2. Click Create build project.

  3. Under Project configuration, provide a unique project name.

  4. In Source > Source provider, choose GitHub. Indicate your Repository type (in this case, we chose Public repository), and provide the Repository URL.

  5. AWS CodeBuild needs access to your GitHub account to display the available repositories; CodeBuild will walk you through the authorization process.

  6. Under Environment, choose the Managed image option.

  7. For Operating system, select Ubuntu.

  8. For Runtime, select Standard.

  9. For Image, select aws/codebuild/standard:5.0

  10. For Image version, select Always use the latest image for this runtime version.

  11. For Environment type, select Linux.

  12. For Service role, choose New service role and modify the Role name if you'd like. This will be the "user" role CodeBuild uses to run your build.

  13. Expand the Additional configuration section. Scroll down to the Environment variables and create a SHIFTLEFT_ACCESS_TOKEN variable (for the time being, we will leave them as plaintext for clarity, though you should use parameters or Secret Manager before using this in production). You can create your CI token in the ShiftLeft Dashboard.

  14. Under Buildspec > Build specifications, choose Use a buildspec file.

  15. Scroll to the bottom, and click Create build project.

Step 3: Run the build

At this point, you're ready to run your build. You should have been redirected to an overview page for your CodeBuild project; if so, click Start Build. Otherwise, click Build projects in the left-hand navigation bar, and choose your project. Click Start build.

When done, you can review your results in the ShiftLeft Dashboard.