Docker
This article shows you how to integrate ShiftLeft CORE's NG SAST into your Docker workflow to provide automated code analysis.
Prerequisites
This tutorial assumes that you have:
- Set up Docker for use with your application
- Installed NG SAST
Authentication information
You must provide authentication information for ShiftLeft to your container via your Dockerfile. When running in a production environment, we recommend using a CI token as your access token; you can create a CI token in the ShiftLeft Dashboard and provide it using the SHIFTLEFT_ACCESS_TOKEN
environment variable.
Integrating NG SAST with Docker
The following dockerfile demonstrates how you can integrate ShiftLeft CORE to scan applications written in Java, JavaScript/TypeScript, Go, and/or Python (this is also available on Docker Hub):
Parameters:
Parameter | Description |
---|---|
-e SHIFTLEFT_ACCESS_TOKEN | The CI token that grants access to ShiftLeft resources; you can create a CI token |
/app | The directory where ShiftLeft should be invoked; for Java apps, provide the path to the JAR/WAR (e.g., /app/target/helloShiftLeft.jar ) |
-v $PWD:/app | The present directory mounted inside the Docker container as /app |
-v /tmp:/tmp | The tmp directory; some of ShiftLeft CORE's CPGs look for the tmp directory, and the code analysis fails if it can't locate the directory |
Running the code analysis
A sample invocation of sl analyze
looks something like the following:
For Java apps:
For JavaScript apps:
For Python apps: