The Check Point CloudGuard platform provides cloud native security, with advanced threat prevention for all assets and workloads – in public, private, hybrid or multi-cloud environment – providing unified security to automate security everywhere. As part of the CloudGuard family, Check Point shiftleft brings CloudGuards security abilities to detect and prevent risk in cloud deployments into the CI/CD pipeline. shiftleft provides a single interface for multiple CI/CD security steps, including scanning your Infrastructure-as-Code (IaC) templates for risk, checking your software for known vulnerabilities, and scanning container images for security issues.
You'll need a CloudGuard account to use shiftleft. If you're organization isn't already using Check Point's Cloud Guard, head over to the Cloud Guard portal to create an account.
To use shiftleft you will need to:
- Install the shiftleft CLI binary
- Generate an autorization token in the CloudGuard portal
- Setup the token in your environment
Choose your desired platform:
Windows
| Step | Description |
|---|---|
| 1 | Download the x64 or 386 shiftleft standalone binary. |
| 2 | Save the shiftleft.exe file in a directory in your current PATH |
| 3 | Generate a CloudGuard access token in the CloudGuard portal. Show me how  |
| 4 | Set the CloudGuard ID and secret in your environment. In a windows command terminal type: |
| 5 | Launch a new command terminal, and verify that shiftleft is properly installed: |
Linux
| Step | Description |
|---|---|
| 1 | Download the x64 or 386 shiftleft standalone binary. |
| 2 | Make shiftleft executable and move the file into a directory in your current PATH, for example: |
| 3 | Generate a CloudGuard access token in the CloudGuard portal. Show me how |
| 4 | Set the CloudGuard ID and secret in your environment as appropriate. For example, add the following to ~/.profile |
| 5 | Launch a new command terminal, and verify that shiftleft is properly installed: |
Mac OS
| Step | Description |
|---|---|
| 1 | Download the x64 shiftleft standalone binary. |
| 2 | Make shiftleft executable, allow it to run unsigned, and move the file into a directory in your current PATH, for example: |
| 3 | Generate a CloudGuard access token in the CloudGuard portal. Show me how |
| 4 | Set the CloudGuard ID and secret in your environment as appropriate. For example, add the following to ~/.bash_profile |
| 5 | Launch a new command terminal, and verify that shiftleft is properly installed: |
shiftleft is a CLI tool framework that allows access to multiple services. The services are called blades, and each individual blade provides a specific service.
The blades currently available are:
| Blade Name | Description | Usage Example |
|---|---|---|
| iac-assessment | Scans Infrastructure-as-code templates, enabling DevOps and security teams to identify insecure configurations | shiftleft iac-assessment -h |
| image-scan | Scans container images for security risks and vulnerabilities | shiftleft image-scan -h |
| sourceguard | source-code security and visibility into the risk analysis of projects | shiftleft sourceguard -h |
There are many ways the shiftleft framework can be used, but to provide a basic sense of how the tool can be used, here are some sample use cases:
You have a Terraform configuration in the ./my_config folder, and you want to run ruleset number -64 on this file to check if it is compliant. |
|---|
shiftleft iac-assessment -p ./my_config -r -64 Please refer to the detailed documentation for the iac-assesment blade below.
You have a container image called my_container.tar that you want to scan for vulnerabilities. |
|---|
shiftleft image-scan -i my_container.tarYou have a container image called myrepo/myimage:version that you want to scan for vulnerabilities. |
|---|
docker save -o my_container.tar myrepo/myimage:version
shiftleft image-scan -i my_container.tarThe shiftleft CLI tool will automatically check for updates to the tool and any blades that you use, each time it's run.
The CLI tool is used to run the various service blades. Both the tool and the blade can receive arguments. In general, arguments to the too precede the blade name, while arguments to the specific blade follow the blade name:
shiftleft --argument_for=tool blade_name --argument_for_blade
The CLI tool accepts the following arguments:
-D, --debug debug output flag
-d, --directory string working directory (default is temp dir)
-f, --force-version string use blade specific version
-h, --help show usage
-t, --timeout int timeout (default 600)
-u, --update auto upgrade/update (default true)
-V, --version show version
For example, to prevent the tool from updating while executing you could run:
shiftleft --update=false image-scan -i image.tar
To get help information about the tool, you could type:
shiftleft -h
To get help information about a specific blade, you could type:
shiftleft image-scan -h
``
## Limitations