sl analyze command to submit applications to ShiftLeft for code analysis and security profiling.
Review code analysis requirements.
Install ShiftLeft CLI on the host where you will submit applications for analysis.
Successfully build the application using a supported build tool (maven, gradle, sbt) before you submit the app for analysis.
Submit the application for analysis using one of the supported analysis commands (see below).
The ShiftLeft CLI supports three modes of analysis. The mode you choose depends on your business requirements.
sl analyze --app <name> <path> to upload the application to the ShiftLeft cloud for analysis. This mode of analysis is suitable for most use cases.
--app <name> tells ShiftLeft to associate the analysis with the application
<name>. This allows different analysis requests (of different versions of the same app) to be associated in the ShiftLeft UI.
sl analyze command scans the artifact (JAR/WAR) provided by
sl analyze --app <name> --cpg <path> to submit security metadata for proprietary application code (in lieu of bytecode), and bytecode for open source dependencies.
--cpg mode is appropriate if you prefer to generate security metadata locally for proprietary code before submitting it to ShiftLeft for analysis. Note: The use of the --cpg flag consumes more memory on your build machine. Please ensure that you have at least 16GB RAM available on your build machine if you plan to use this flag.