Many microservices built today are containerized, with a large portion built and deployed as Docker containers. This section describes how the Shiftleft CLI and the ShiftLeft Microagent can be integrated during Docker image builds and deployments.
Target Application : The JAR artifact of the target application built using either a custom build script or a CI such as Jenkins or Travis CI. In this section, we will identify this as a Java application called
Target Image: The container image that is run in production which contains the target jar. The ShiftLeft CLI and ShiftLeft Microagent will be configured into this Docker image.
Dockerfile: The Dockerfile used to build the target image. In order to provision the Shiftleft CLI and ShiftLeft Microagent in the target image, this file is customized prior to a
docker build command.
There are two ways to integrate the complete ShiftLeft solution with the containerized target application:
Container-only: Both ShiftLeft code analysis and ShiftLeft's microagent execute from within the container during application container run.
Host + Container: Shiftleft code analysis is carried on the host prior to application container run. During container run, only the ShiftLeft Microagent is run for each execution.
In this mode, during the container build, we need to prepare the image with all ShiftLeft dependencies bundled in it with the application. We first need to fetch the
sl binary and copy the ShiftLeft configuration (
config.json) generated from the authentication steps outlined in Authenticating with ShiftLeft. There can be two ways to achieve the container-only solution.
In the first method, we would separately do code analysis and application execution with
sl. A typical Dockerfile that performs these steps during for a target app (
app.jar) has been shown below.
FROM alpineWORKDIR /usr/src/appRUN apk --update --no-cache add curl openjdk8COPY app.jar /user/src/app/app.jar# Install ShiftLeft CLIRUN curl https://www.shiftleft.io/download/sl-latest-linux-x64.tar.gz | tar xvz -C /usr/local/binENV SHIFTLEFT_ORG_ID=...ENV SHIFTLEFT_UPLOAD_TOKEN=...# Run ShiftLeft code analysisRUN sl analyze --wait --app MyApplication app.jar# Run target app with ShiftLeft MicroagentCMD sl run -- java -jar app.jar
In the second method, we can avoid the need to separately analyze the project and bundle it as part of the
sl run command. This also allows us to specify an application name such as MyApplication using the
--app option to
sl. A sample Dockerfile is shown below
FROM alpineWORKDIR /usr/src/appRUN apk --update --no-cache add curl openjdk8COPY app.jar /user/src/app/app.jar# Install ShiftLeft CLIRUN curl https://www.shiftleft.io/download/sl-latest-linux-x64.tar.gz | tar xvz -C /usr/local/binENV SHIFTLEFT_ORG_ID=...ENV SHIFTLEFT_UPLOAD_TOKEN=...# Do ShiftLeft code analysis and run target app with ShiftLeft MicroagentCMD sl run --app MyApplication --analyze app.jar -- java -jar app.jar
In this mode, the code analysis performed by Shiftleft CLI (
sl) is performed on the host immediately after the target jar is built by the CI and before the target Docker image is built. For example, If you are using Maven as the build system and Jenkins as the CI, the analysis can be added as a post-build step using the Exec Maven Plugin. As an example, an excerpt from the
pom.xml file for the Maven project is shown below.
For any other build system, all we need to remember is to analyze on the host beforehand using
sl analyze --wait such that the Application Configuration
shifteft.json file is generated in the same directory. Note that this file is distinct from the
config.json file, which is generated after a successful ShiftLeft authentication. In the target image building steps that follow, we would need to copy the
shiftleft.json file in the container image so that it can be used when the application is run. A sample Dockerfile that does this has been presented below.
FROM alpineWORKDIR /usr/src/appRUN apk --update --no-cache add curl openjdk8COPY app.jar /user/src/app/app.jar# Install ShiftLeft CLIRUN curl https://www.shiftleft.io/download/sl-latest-linux-x64.tar.gz | tar xvz -C /usr/local/bin# Copy ShiftLeft Application Configuration app directoryCOPY shiftleft.json /usr/src/app/.shiftleft.json# Run target app with ShiftLeft MicroagentCMD sl run -- java -jar app.jar