ShiftLeft.io CLI for code security
10K+
This image contains the ShiftLeft CLI (aka sl) for code security tools. ShiftLeft CLI includes interfaces for SAST, secret detection, insights, SCA, and security training.
For more information on ShiftLeft CLI, read their documentation.
This image is automatically updated every week and is maintainted by ReDemoNBR and rdnxk. It is not maintained by ShiftLeft.
The motivation of this project instead of using official ShiftLeft images (ex: shiftleft/scan) is that those images are built on top of ubuntu:focal, which is heavier (~800MB final size) compared to our Debian (~200MB) or even Alpine (~83MB) variants. Also, their images on Docker Hub are undocumented. Another reason to use these images instead of following their own tutorials is that the wrapper script is downloaded without validating the checksum which may lead to some injection issues.
This image is designed to be used on CI/CD pipelines.
Format is <version>-<variant> or <version> (the latter one uses debian:bullseye as base image)
All images contain the sl executable ready for use. Also it is aliased to shiftleft-cli to avoid confusion with sl (Steam Locomotive).
redemonbr/shiftleft-cli:<version> | redemonbr/shiftleft-cli:<version>-bullseyeThis is the defacto image, it is built on top of Debian's latest stable release "bullseye", available at Debian official image.
redemonbr/shiftleft-cli:<version>-alpineThis image is built on top of the latest stable release of Alpine Linux, available at Alpine official image.
This variant is useful when final image size being as small as possible is your primary concern. The main caveat to note is that it does use musl libc instead of glibc and friends, so software will often run into issues depending on the depth of their libc requirements/assumptions.
For ShiftLeft CLI usage with their options and arguments, please read their own CLI documentation. Here we will cover only the Docker image usage.
--help usage$ docker run redemonbr/shiftleft-cli:latest sl --help
$ docker run \
--rm \
--name shiftleft \
--volume /path/to/my/application/:/mnt/my-app/ \
--env SHIFTLEFT_APP=my-app \
--env SHIFTLEFT_CPG=true \
--env SHIFTLEFT_NO_DIAGNOSTIC=true \
--env SHIFTLEFT_ACCESS_TOKEN=<access_token> \
--env SHIFTLEFT_LANG_JAVA=true \
--env SHIFTLEFT_JAVA_OPTS=-Xmx10g \
redemonbr/shiftleft-cli:bullseye \
/bin/bash
root@942b0046a022:/# sl auth
root@942b0046a022:/# sl analyze my-app.jar --dep dependency-1.jar --dep dependency-2.jar
$ docker run \
-it \
--rm \
--name shiftleft \
--volume /path/to/my/application/:mnt/my-app/ \
--env SHIFTLEFT_APP=my-app \
--env SHIFTLEFT_CPG=true \
--env SHIFTLEFT_NO_DIAGNOSTIC=true \
--env SHIFTLEFT_ACCESS_TOKEN=<access_token> \
--env SHIFTLEFT_LANG_JAVA=true \
--env SHIFTLEFT_JAVA_OPTS=-Xmx10g \
redemonbr/shiftleft-cli:alpine \
/bin/sh
/ # shiftleft-cli auth
/ # shiftleft-cli analyze my-app.jar --dep dependency-1.jar --dep dependency-2.jar --tag branch=my-tag
/ # shiftleft-cli check-analysis --branch "my-tag" --report --report-file "./shiftleft.md"
Using on GitLab-CI for a NodeJS project
audit:sast-scan:
stage: test
image: redemonbr/shiftleft-cli:alpine
variables:
SHIFTLEFT_APP: my-great-app
SHIFTLEFT_CPG: true
SHIFTLEFT_LANG_JS: true
SHIFTLEFT_NO_DIAGNOSTIC: true
SHIFTLEFT_WAIT: true
## replace the ones below with yours, or (better) put them into your CI/CD secrets
SHIFTLEFT_ACCESS_TOKEN: <token_here>
SHIFTLEFT_ORG: <org_id_here>
before_script:
- npm install
- shiftleft-cli auth --org "$SHIFTLEFT_ORG"
script:
- shiftleft-cli analyze --tag "branch=$CI_COMMIT_REF_NAME" ./ -- --no-babel --exclude "node_modules/,test/,.git/,.cache/"
# create directory to store report
- mkdir .reports/
- shiftleft-cli check-analysis --branch "$CI_COMMIT_REF_NAME" --report --report-file "./.reports/shiftleft.md"
after_script:
# copy report to another directory
- cp .reports/shiftleft.md ./shiftleft.md
artifacts:
name: shiftleft-$CI_COMMIT_SHORT_SHA
paths:
- shiftleft.md
expire_in: 7 days
public: false
Content type
Unrecognized
Digest
sha256:0d987b50f…
Size
832.7 kB
Last updated
11 days ago
docker pull redemonbr/shiftleft-cli:sha256-beb25800e692b01a234f68dfe22dd9d07fb7c1cbe0bf6de3bf0d24740bfd5381.sbom