GoCD

This article shows you how you can integrate ShiftLeft CORE's NG SAST into your GoCD workflow to provide automated code analysis.

Prerequisites

This tutorial assumes that you have:

Step 1: Create Your Environment Variables

Log into your GoCD server using an account that has administrator privileges.

Create the following environment variables containing authentication information for ShiftLeft:

VariableValue
SHIFTLEFT_ACCESS_TOKENYour Access Token

When running in a production environment, we recommend that you use a CI token as the access token. You can create your CI token in the ShiftLeft Dashboard.

Please note that the presence of any set environment variables will override those in a configuration file.

Step 2: Add ShiftLeft to the Agent Image

To provide instructions for running ShiftLeft to your GoCD agent image, navigate to the image you want to modify and use the editor to add the following shell script:

#!/bin/sh
/usr/local/bin/sl analyze

Alternatively, if you want to use CPG mode for code analysis, use:

#!/bin/sh
/usr/local/bin/sl analyze --cpg

Be sure to check this shell file in your project's repository.

Step 3: Configure your Build

Once you've checked in the shell script you created in Step 2, you'll need to configure your build. To do so, pen up your project and go to the project's Settings.

Under the Stages tab, click Add New Stage and set the following parameters:

ParameterValue
Stage NameSL Analyze
Trigger TypeOn Success
Job NameSL Analyze
Task TypeMore
Command/bin/sh
Arguments<path-to-checked-in-script>.sh
Working Directory<directory-to-built-project-packages>.sh

Click Save.