Docker

This article shows you how you can integrate ShiftLeft CORE's NG SAST into your Docker workflow to provide automated code analysis.

Prerequisites

This tutorial assumes that you have:

Authentication Information

You may need to provide authentication information for ShiftLeft to your container via your Dockerfile. When running in a production environment, we recommend using a CI token as your access token; you can create a CI token in the ShiftLeft Dashboard and provide it using the SHIFTLEFT_ACCESS_TOKEN environment variable.

Integrating NG SAST with Docker

When integrating with Docker, NG SAST runs within your container. With a container-only integration, ShiftLeft executes within the container during the container run.

During the container build, you must bundle the target image with all of ShiftLeft's dependencies. More specifically, you'll need to include instructions for the following commands in your Dockerfile:

  1. Fetching the sl binary
  2. Copying the configuration file (config.json) that's generated by ShiftLeft when you run NG SAST

A sample Dockerfile that implements this might look something like the following:

FROM alpine
WORKDIR /usr/src/app
RUN apk --update --no-cache add curl openjdk8
COPY app.jar /user/src/app/app.jar
# Install the ShiftLeft CLI
RUN curl https://cdn.shiftleft.io/download/sl-latest-linux-x64.tar.gz | tar xvz -C /usr/local/bin
ENV SHIFTLEFT_ACCESS_TOKEN=...
# Analyze the code
RUN sl analyze --wait --app MyApplication app.jar

Be sure to provide the appropriate value for SHIFTLEFT_ACCESS_TOKEN. You can find your Access Token in the Dashboard under Account Settings.