Skip to content


ShiftLeft Scan is a free open-source security tool for modern DevOps teams. With an integrated multi-scanner based design, ShiftLeft Scan can detect various kinds of security flaws in your application and infrastructure code in a single fast scan. The kind of flaws detected are:

  • Credentials Scanning to detect accidental secret leaks
  • Static Analysis Security Testing (SAST) for a range of languages and frameworks
  • Open-source dependencies audit
  • Licence violation checks


Scan supports a range of integration options: from scanning the code on your IDE to scanning every build and pull-request in the CI/CD pipelines.

Sample invocation

Easy one-liner command below:

sh <(curl

The above command simply invokes the below docker run command.

docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/sast-scan scan --build

Java Scan

Scan is also available as an AppImage. Please download the latest version from GitHub releases or use the one-liner command below.

sh <(curl
chmod +x scan
./scan -t nodejs

Supported Languages & Frameworks

Full list of supported languages is as follows:

Language Scan Type (--type) Credential Scan SAST Dependency Scan License Audit Build Breaker
Salesforce Apex apex
Ansible ansible 🚧
AWS CloudFormation aws
Bash bash
Go go
Java java
Kotlin kotlin
Scala kotlin
Groovy kotlin
JSP jsp
Node.js nodejs 🚧
PL/SQL plsql
Php php
Python python
Rust rust
Kubernetes kubernetes
Terraform terraform
Salesforce Visual Force vf
Apache Velocity vm
Yaml yaml 🚧

🚧 - Work-in-progress feature

Start with your use case

  • Read more about secure development and best practices with scan for a range of languages

Last update: July 8, 2020