For Windows Users

This tutorial shows you how to install, set up, configure, and run your first code analysis using ShiftLeft.

Register for a ShiftLeft Account

Register for a ShiftLeft account.

You will be prompted to create an organization. Provide a name for your organization and click Create Organization to proceed.

Your Org ID and Access Token

As a new ShiftLeft user, you will be presented with a list of steps that you need to complete to install and set up ShiftLeft in the Dashboard.

Dashboard Instructions Page

You can always return to this page at a later date by clicking Add App in the Dashboard.

Installing Inspect

To install Inspect, download sl.exe.

Unzip the downloaded file, and run the newly unzipped executable to begin the installation process, making sure to grant the permissions requested by the installer. This copies sl.exe to C:\Program Files\ShiftLeft.

Installing Protect

If you would like to install Protect in addition to Inspect, ShiftLeft provides the installers for the .NET Framework. You must use an account with administrator privileges to work with the Windows installers.

Step 1: Download the Installers

To get the .NET Framework installer:

Invoke-WebRequest -URI https://cdn.shiftleft.io/download/installer-dotnet-framework-latest-windows-x64.zip -UseBasicParsing -OutFile sl-latest-windows-x64.zip

The installer bundles all of the dependencies into a single downloadable file. This enables the installer to run without needing access to the Internet.

Step 2: Unzip the Downloaded Files and Run the Installer

Once you've obtained the installer, unzip the downloaded file.

Unzip Prompt

Run the newly-unzipped executable to begin the installation process. Be sure to grant the permissions requested by the installer.

Install Account Control

The installer copies Protect to C:\shiftleftDotNetAgent, and during the installation process, you will see status updates in a Command Prompt window. Once the process completes, press Enter to finish and close out of the window.

Installation Progress

Command-Line Installation Options

When running the installer from the command line, note that the installer binaries have the following command-line options available to modify the default behavior.

Option

Description

--no-prompt

Disables prompts for non-interactive usage if you are running the installer from the command line

--install-directory

Specifies the installation directory; the default is ShiftLeft in the Windows Programs folder

--start-menu-entries

Sets the directory for the location of created Start menu items. Defaults to ShiftLeft at the top level of the Start menu. If empty, no Start menu items are created

--sl-home

Identifies the home directory for ShiftLeft products. This directory is created as part of the installation process, and stores any downloaded binaries and configuration files. Defaults to .shiftleft in your Home directory

--no-dotnet-agent

Installs just ShiftLeft Inspect (i.e. sl.exe) and not ShiftLeft Protect

All directories are stored in the Windows Registry.

Using the ShiftLeft CLI to Authenticate

The ShiftLeft CLI command sl auth is used to authenticate with ShiftLeft and associate your applications with your organization.

sl auth --org "YOUR_ORG_ID" --token "YOUR_ACCESS_TOKEN"

You can get the values for YOUR_ORG_ID and YOUR_ACCESS_TOKEN from the ShiftLeft Dashboard under Add App.

This step accomplishes two things: link the CLI running on your machine with your ShiftLeft account using ShiftLeft's API (the token included is needed to call the API).

You can confirm or update your auth values at any time by reviewing the configuration file located at C:\Users\{USER}\.shiftleft\config.json.

Inspect Your Code

At this point, you are ready to run Inspect. For this tutorial, we test HelloShiftLeft, a demo app built using Java to demonstrate how ShiftLeft works. You must have Java 8 installed to use HelloShiftLeft.

To get ShiftLeft, you can clone its repo by running git clone https://github.com/ShiftLeftSecurity/HelloShiftLeft.git in the Command Prompt.

Once you've cloned the repo, navigate into the folder by running cd HelloShiftLeft.

Build the app using Maven by running mvn clean package (you can also use another build tool of your choice). You can expect the “BUILD SUCCESS” message to be printed to the Command Prompt if this is successful).

Run ShiftLeft using "C:\Program Files\ShiftLeft\sl.exe" analyze --app HelloShiftLeft --java target/hello-shiftleft-0.0.1.jar. You will see the following output:

Inspect Output

Per the instructions printed to the Terminal, open up the URL provided after 5-10 minutes have elapsed. This brings you to the Dataflows page; in the top right-hand corner, click Vulnerabilities to see the issues present in your code.