This tutorial shows you how to install, set up, configure, and run your first code analysis using ShiftLeft.
Register for a ShiftLeft account.
You will be prompted to create an organization. Provide a name for your organization and click Create Organization to proceed.
As a new ShiftLeft user, you will be presented with a list of steps that you need to complete to install and set up ShiftLeft in the Dashboard.
You can always return to this page at a later date by clicking Add App in the Dashboard.
To install Inspect, download sl.exe.
Unzip the downloaded file, and run the newly unzipped executable to begin the installation process, making sure to grant the permissions requested by the installer. This copies
If you would like to install Protect in addition to Inspect, ShiftLeft provides the installers for the .NET Framework. You must use an account with administrator privileges to work with the Windows installers.
To get the .NET Framework installer:
Invoke-WebRequest -URI https://cdn.shiftleft.io/download/installer-dotnet-framework-latest-windows-x64.zip -UseBasicParsing -OutFile sl-latest-windows-x64.zip
The installer bundles all of the dependencies into a single downloadable file. This enables the installer to run without needing access to the Internet.
Once you've obtained the installer, unzip the downloaded file.
Run the newly-unzipped executable to begin the installation process. Be sure to grant the permissions requested by the installer.
The installer copies Protect to
C:\shiftleftDotNetAgent, and during the installation process, you will see status updates in a Command Prompt window. Once the process completes, press
Enter to finish and close out of the window.
When running the installer from the command line, note that the installer binaries have the following command-line options available to modify the default behavior.
Disables prompts for non-interactive usage if you are running the installer from the command line
Specifies the installation directory; the default is
Sets the directory for the location of created Start menu items. Defaults to
Identifies the home directory for ShiftLeft products. This directory is created as part of the installation process, and stores any downloaded binaries and configuration files. Defaults to
Installs just ShiftLeft Inspect (i.e.
All directories are stored in the Windows Registry.
The ShiftLeft CLI command
sl auth is used to authenticate with ShiftLeft and associate your applications with your organization.
sl auth --org "YOUR_ORG_ID" --token "YOUR_ACCESS_TOKEN"
You can get the values for
YOUR_ACCESS_TOKEN from the ShiftLeft Dashboard under Add App.
This step accomplishes two things: link the CLI running on your machine with your ShiftLeft account using ShiftLeft's API (the token included is needed to call the API).
You can confirm or update your auth values at any time by reviewing the configuration file located at
At this point, you are ready to run Inspect. For this tutorial, we test HelloShiftLeft, a demo app built using Java to demonstrate how ShiftLeft works. You must have Java 8 installed to use HelloShiftLeft.
To get ShiftLeft, you can clone its repo by running
git clone https://github.com/ShiftLeftSecurity/HelloShiftLeft.git in the Command Prompt.
Once you've cloned the repo, navigate into the folder by running
Build the app using Maven by running
mvn clean package (you can also use another build tool of your choice). You can expect the “BUILD SUCCESS” message to be printed to the Command Prompt if this is successful).
Run ShiftLeft using
"C:\Program Files\ShiftLeft\sl.exe" analyze --app HelloShiftLeft --java target/hello-shiftleft-0.0.1.jar. You will see the following output:
Per the instructions printed to the Terminal, open up the URL provided after 5-10 minutes have elapsed. This brings you to the Dataflows page; in the top right-hand corner, click Vulnerabilities to see the issues present in your code.