Docker

This article shows you how to integrate ShiftLeft CORE's NG SAST into your Docker workflow to provide automated code analysis.

Prerequisites

This tutorial assumes that you have:

Authentication information

You must provide authentication information for ShiftLeft to your container via your Dockerfile. When running in a production environment, we recommend using a CI token as your access token; you can create a CI token in the ShiftLeft Dashboard and provide it using the SHIFTLEFT_ACCESS_TOKEN environment variable.

Integrating NG SAST with Docker

The following dockerfile demonstrates how you can integrate ShiftLeft CORE to scan applications written in Java, JavaScript/TypeScript, Go, and/or Python (this is also available on Docker Hub):

FROM ubuntu:20.04 as builder
ARG CLI_VERSION
ARG BUILD_DATE
ENV SHIFTLEFT_HOME=/opt/sl-cli \
PYTHONUNBUFFERED=1 \
DEBIAN_FRONTEND=noninteractive \
GOPATH=/opt/app-root/go \
GO_VERSION=1.17.8 \
PATH=${PATH}:/opt/sl-cli:${GOPATH}/bin:/usr/local/go/bin:
LABEL maintainer="ShiftLeftSecurity" \
org.label-schema.schema-version="1.0" \
org.label-schema.vendor="shiftleft" \
org.label-schema.name="scan-base" \
org.label-schema.version=$CLI_VERSION \
org.label-schema.license="GPL-3.0-or-later" \
org.label-schema.description="Docker image for ShiftLeft Core analysis" \
org.label-schema.url="https://www.shiftleft.io" \
org.label-schema.usage="https://github.com/ShiftLeftSecurity/scan-base" \
org.label-schema.build-date=$BUILD_DATE \
org.label-schema.vcs-url="https://github.com/ShiftLeftSecurity/scan-base.git" \
org.label-schema.docker.cmd="docker run --rm -it --name slcore shiftleft/core /bin/bash"
USER root
RUN mkdir -p /opt/sl-cli && apt update -y \
&& apt install --no-install-recommends -y jq curl wget zip unzip openjdk-8-jdk \
build-essential python3.8 python3.8-dev python3-setuptools python3-pip python3.8-venv git maven gradle \
&& curl -fsSL https://deb.nodesource.com/setup_16.x | bash - \
&& apt install -y nodejs \
&& curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /usr/share/keyrings/yarnkey.gpg >/dev/null \
&& echo "deb [signed-by=/usr/share/keyrings/yarnkey.gpg] https://dl.yarnpkg.com/debian stable main" | tee /etc/apt/sources.list.d/yarn.list \
&& apt update && apt install -y yarn \
&& npm install -g @appthreat/cdxgen \
&& curl -LO "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" \
&& tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz \
&& rm go${GO_VERSION}.linux-amd64.tar.gz \
&& curl "https://cdn.shiftleft.io/download/sl" > /usr/local/bin/sl \
&& chmod a+rx /usr/local/bin/sl \
&& /usr/local/bin/sl update js2cpg \
&& /usr/local/bin/sl update java2cpg \
&& /usr/local/bin/sl update py2cpg \
&& /usr/local/bin/sl update go2cpg \
&& python3 -m pip install --no-cache-dir install shiftleft-scan-reports \
&& rm -rf /var/lib/apt/lists/*

Parameters:

ParameterDescription
-e SHIFTLEFT_ACCESS_TOKENThe CI token that grants access to ShiftLeft resources; you can create a CI token
/appThe directory where ShiftLeft should be invoked; for Java apps, provide the path to the JAR/WAR (e.g., /app/target/helloShiftLeft.jar)
-v $PWD:/appThe present directory mounted inside the Docker container as /app
-v /tmp:/tmpThe tmp directory; some of ShiftLeft CORE's CPGs look for the tmp directory, and the code analysis fails if it can't locate the directory

Running the code analysis

A sample invocation of sl analyze looks something like the following:

For Java apps:

docker run --rm -it --name slcore \
-e SHIFTLEFT_ACCESS_TOKEN \
-v $PWD:/app -v /tmp:/tmp \
shiftleft/core \
sl analyze --java --cpg /app/target/helloshiftleft.jar
# windows users only
docker run --rm -it --name slcore \
-e SHIFTLEFT_ACCESS_TOKEN \
-v %cd%:/app -v /tmp:/tmp \
shiftleft/core \
sl analyze --java --cpg /app/target/helloshiftleft.jar

For JavaScript apps:

# for JavaScript apps
docker run --rm -it --name slcore \
-e SHIFTLEFT_ACCESS_TOKEN \
-v $PWD:/app -v /tmp:/tmp \
shiftleft/core \
sl analyze --js --cpg /app
# windows users only
docker run --rm -it --name slcore \
-e SHIFTLEFT_ACCESS_TOKEN \
-v %cd%:/app -v /tmp:/tmp \
shiftleft/core \
sl analyze --js --cpg /app

For Python apps:

# for Python apps
docker run --rm -it --name slcore \
-e SHIFTLEFT_ACCESS_TOKEN \
-v $PWD:/app -v /tmp:/tmp \
shiftleft/core \
sl analyze --python --cpg /app
# windows users only
docker run --rm -it --name slcore \
-e SHIFTLEFT_ACCESS_TOKEN \
-v %cd%:/app -v /tmp:/tmp \
shiftleft/core \
sl analyze --python --cpg /app