This article shows you how you can integrate ShiftLeft CORE's NG SAST into your Docker workflow to provide automated code analysis.
This tutorial assumes that you have:
You may need to provide authentication information for ShiftLeft to your container via your Dockerfile. When running in a production environment, we recommend using a CI token as your access token; you can create a CI token in the ShiftLeft Dashboard and provide it using the
SHIFTLEFT_ACCESS_TOKEN environment variable.
Integrating NG SAST with Docker
When integrating with Docker, NG SAST runs within your container. With a container-only integration, ShiftLeft executes within the container during the container run.
During the container build, you must bundle the target image with all of ShiftLeft's dependencies. More specifically, you'll need to include instructions for the following commands in your Dockerfile:
- Fetching the
- Copying the configuration file (config.json) that's generated by ShiftLeft when you run NG SAST
A sample Dockerfile that implements this might look something like the following:
Be sure to provide the appropriate value for
SHIFTLEFT_ACCESS_TOKEN. You can find your Access Token in the Dashboard under Account Settings.