Sonatype Lift Quick Start Guide

Lift | Reading time: 6 minutes

Is this article helpful?

Table of Contents

Lift: A Deep Code Analysis Platform

Sonatype Lift is a deep code analysis platform for first-party code. It reviews the code written by your software development teams and provides feedback to improve your code quality. Lift is unique because it provides intelligent analysis on code and then prioritizes actionable feedback. This includes help with security, performance, reliability, and style issues. Sonatype Lift provides its feedback as pull request (PR) comments, making it a natural part of the code review process. Out of the box, Lift supports 24 tools and 11 languages to handle all aspects of your code. All the tools in Lift can be customized to fit your needs and preferences. You can even add your own custom scanners and code analysis tools to Lift.

Using Sonatype Lift is simple. Lift integrates with a source control system and then provides feedback on the exact line of code where it found the issue in the pull request. Based on research by Facebook, integrating analysis tools at this stage in the software development process makes developers 70 times more likely to fix the issues Lift finds. Sonatype Lift is focused on reporting issues that are fixable by software development teams, further boosting Lift’s fix rate and reducing unnecessary feedback. An aggregated report of all issues is available in the lift console.

Installing

Sonatype Lift is free to try on your personal repositories and easy to configure with your enterprise. Talk to our sales team for details.

Install Sonatype Lift by integrating it into your source control management system. GitHub installation is easy and only takes a few clicks. To install Lift into Bitbucket, GitLab, or another SCM provider please reach out to our sales team.

To install Lift in Github:

  1. Navigate to the Lift Homepage.
  2. Click the Install Lift for Free button.
  3. Scroll to the bottom of the page to select your plan. Then complete your order.

    NOTE: The free version of Lift analyzes public repositories, while the Pro version can analyze both private and public repositories.

  4. Select which repositories you’d like Lift to analyze and click the Install and Authorize button. This will redirect you to the Lift Console.
    Lift authorization

The Console

The Sonatype Lift console lets you view previous analysis results and see issues detected across entire repositories. This dashboard also lets you analyze entire applications. When you scan an application from the Lift console, it reports on all issues it finds in the entire repository. This is unlike the comments Lift makes on pull requests, which only identify new issues introduced in that PR.

Each analysis report provides detailed information about the bugs Lift found including the exact location of the issue for easier remediation. Analyses run from the Console are useful for finding problems in newly onboarded applications and finding issues not introduced in a new pull request. Both On Demand Analyses and PR Analyses will create a scan report which can be viewed at any time.

Lift console screenshot

Analyze a Repository from the Lift Console

To run an analysis from the Lift Console:

  1. Select the organization that owns the Repository you want to analyze.
  2. Select the repository to analyze.
  3. Select the branch to analyze from the dropdown.
  4. Click Analyze. This will generate a new analysis report.

View an Analysis Report

To View a Lift Analysis Report:

  1. Select the organization that owns the Repository from the dropdown next to the search bar.
  2. Select a repository. You can also use the search bar to filter repositories by name.
  3. Click on a report.

From this screen you can do the following:

  • Run a new analysis on a repository
  • View previous reports from any On Demand Analysis or Pull Request Analysis
  • Review the bugs Lift found in the entire repository during the most recent analysis.

Each On Demand Analysis or PR Analysis will create a scan report. Clicking on an analysis will list all the issues Sonatype Lift found and indicate if the issue is New, Existing, or Fixed. Click the Show Details button to open a window with precise information about which tool detected the issue and where it’s located.

Lift analysis report screenshot

Lift in Your Source Control System

Most of the time you use Sonatype Lift, it will be in your Source Control System—not the Lift console. Whenever someone opens a pull request on a repository with Lift, Lift checks for issues with the changes in the PR. Then Lift comments on the exact line where it detected the issue. Lastly, Lift will create a status check for the pull request, which lists the number of new bugs detected and how many bugs have been resolved. By offering feedback in PRs, Sonatype Lift gives actionable feedback to development teams as a normal part of the code review process; when developers are already soliciting feedback and making corrections to their code.

Sometimes it’s necessary to interact with Lift directly, to let it know an issue it found isn’t relevant or to get more help. When this happens, developers can talk directly to Lift by mentioning Lift in a reply to one of its comments. Mention it with @sonatype-lift for Lift to reply. Sonatype Lift understands the following commands:

  • ignore - Identifies an issue as a false positive. This tells Lift the bug is not applicable in this situation. This will remove the bug report from the results.
  • unignore - Unignore re-identifies a previously ignored issue as a legitimate bug report.
  • help - Asks Lift for help. Lift-dev will reply with a list of commands, links to Lift’s documentation and a link to the Lift console.

Lift scm feedback screenshot

Customizing and Extending Lift

Sonatype Lift starts scanning your repositories and providing feedback out of the box without any configuration or customization. However you may want to optimize Lift for your specific languages, or add things like custom rules or custom compilation steps (like non-standard build targets). To customize Lift, simply add a .lift.toml file to your project and include it in your commits. This file allows you to declare custom rules, ignore files, and much more. Check out the Lift Configuration Reference for options and examples.

Already using code analysis tools? Add your own custom tools to Sonatype Lift and see the analysis results in the same PR workflows.These additional tools are invoked in the .lift.toml file and communicate with Lift through the same APIs as Lift’s preconfigured tools. The technical documentation for Extending Lift provides specific information about Lift’s API standards and execution environment.

Additional Resources