The Code Security Scanner enables users to maintain their source code’s security by finding and alerting managers and administrators of hardcoded passwords and access keys left in the source code.
Currently, the scanner works by automatically scanning commits to your repository and tagging any suspected security vulnerabilities found in those commits. Those vulnerabilities include strings at least 21 characters long with sufficient entropy (randomness) for the scanner to suspect it of being a secret key or password.
How Can I Enable the Security Scanner Tool?
To enable Security Scanning for your repository, first open your repository in the Assembla WebApp. Then, open the Settings sub-tab and navigate to the Security scanner settings page on the left-hand sidebar. To enable the scanner, check the box labelled Check source code for possible security issues.
Automatically Scan Commits for Security Risks
When you make a commit to your repository, the Code Security Scanning Tool will automatically look for any strings which could serve as passwords or secret keys. If a vulnerability is found, it will be marked with a red message symbol with an exclamation point inside. This symbol can be found both on the commits list as well as the commit details page.
The warning symbol can be found to the right of the commit message on the commits list.
The warning symbol can be seen on the commit details’ file list to mark the affected file(s).
Additionally, the affected line(s) can be seen after expanding the affected file’s diffs. Results will be colored red and underlined in the diff view.
Warnings in the Stream
If a user in your space makes a commit that contains security findings, a warning will automatically be created in that Space’s Stream. Clicking on the stream event will then take users to the details page for the commit that triggered the report.
Need help? Please contact us at support@assembla.com.