AlphaScan enables users to maintain their source code’s security by finding and alerting managers and administrators of hardcoded passwords and access keys left in their source code.
The scanner works by automatically scanning commits to your repository and tagging any suspected security vulnerabilities found in those commits. You can also index your entire repository and scan for vulnerabilities. Those vulnerabilities include strings at least 21 characters long with sufficient entropy (randomness) for the scanner to suspect it of being a secret key or password.
Enabling AlphaScan
To enable AlphaScan for your repository, first open your repository in the Assembla WebApp. Then, open the Security Scan sub-tab.
Scanning commits for security risks
To allow AlphaScan to automatically scan incoming commits, check the Scan commits on push box. When you make a commit to your repository, AlphaScan automatically looks for any strings which could serve as passwords or secret keys. If it finds a vulnerability, it marks the issue with a red message symbol with an exclamation point inside. This symbol is found both on the commits list as well as the commit details page.
You can find the warning symbol to the right of the commit message on the commits list.
You can find the warning symbol on the commit details’ file list to mark the affected file(s).
Additionally, you can see the affected line(s) after expanding the affected file’s diffs. Results are colored red and underlined in the diff view.
If a user in your space makes a commit that contains security findings, a warning is automatically created in that Space’s Stream.
Scanning your entire repository for vulnerabilities
If instead you would like to scan your entire repository for vulnerabilities, open the AlphaScan sub-tab, and then click the Start repository scan button.
A scan begins and, depending on the size of your repository, is completed within a few minutes. Refresh the page to view the completed report.
Reviewing repository scan results
Repository scan results are located on the AlphaScan sub-tab. Click the title of the report to view details.
The report contains both the name of each file that contains a vulnerability, as well as a preview of the vulnerability’s location within that file.
Need help? Please contact us at support@assembla.com.