AlphaScan enables users to maintain their source code’s security by finding and alerting managers and administrators of hardcoded passwords and access keys left in their source code.
The scanner works by automatically scanning commits to your repository and tagging any suspected security vulnerabilities found in those commits. If you would like to index your entire repository and scan for vulnerabilities, that option is also available. Those vulnerabilities include strings at least 21 characters long with sufficient entropy (randomness) for the scanner to suspect it of being a secret key or password.
Where Can I Find AlphaScan?
To enable AlphaScan for your repository, first open your repository in the Assembla WebApp. Then, open the AlphaScan sub-tab.
Automatically Scan Commits for Security Risks
To allow AlphaScan to automatically scan incoming commits, check the Scan commits on push box. When you make a commit to your repository, AlphaScan will automatically look for any strings which could serve as passwords or secret keys. If a vulnerability is found, it will be marked with a red message symbol with an exclamation point inside. This symbol can be found both on the commits list as well as the commit details page.
The warning symbol can be found to the right of the commit message on the commits list.
The warning symbol can be seen on the commit details’ file list to mark the affected file(s).
Additionally, the affected line(s) can be seen after expanding the affected file’s diffs. Results will be colored red and underlined in the diff view.
If a user in your space makes a commit that contains security findings, a warning will automatically be created in that Space’s Stream.
Scan Your Entire Repository for Vulnerabilities
If instead you would like to scan your entire repository for vulnerabilities, open the AlphaScan sub-tab and click the Start repository scan button.
A scan will begin and, depending on the size of your repository, will be completed within a few minutes. Refresh the page to view the completed report.
Repository Scan Results
Repository scan results can be found on the AlphaScan sub-tab. Clicking on the title of the report will open more details.
The report contains both the name of each file that contains a vulnerability, as well as a preview of the vulnerability’s location within that file.
Need help? Please contact us at support@assembla.com.