Skip to content

av sast server-scan

Ask AlertaVuln to clone and scan a project’s connected git repos on AlertaVuln’s infrastructure - an Enterprise feature, metered against a weekly quota.

Terminal window
av sast server-scan [flags]

av sast server-scan requests a server-side SAST scan of a project’s connected git repos. Unlike av sast scan, which runs the engines locally for free, this clones and scans each repo on AlertaVuln’s infrastructure. It exists for repos you can’t - or don’t want to - check out on a build agent. Results land in the same consolidated finding set as local scans, so av sast findings and the Code Scan page show them together. You must be logged in (av login).

Before anything is enqueued, the command checks your entitlement: a non-Enterprise organisation gets an error quoting the monthly add-on price, and an exhausted weekly quota aborts with nothing enqueued. The quota resets on a rolling 7-day window.

Which repos are scanned depends on the flags. --source scans one connected git source by its ID; --all scans every connected repo; if the project has exactly one connected repo it is selected automatically. With several connected repos and neither flag, the command errors and asks you to pass --source <id> or --all. Repos are connected to a project in the web app.

After printing the cost, the command asks for a [y/N] confirmation unless you pass --yes. Declining aborts with nothing enqueued and exits 0. The cost warning goes to stderr, so stdout stays clean for scripting.

With --wait, each job is polled about every two seconds until it finishes, then its REDYELLOWGREEN counts are printed. Combined with --all, scans run one at a time: each repo is enqueued and waited on before the next is enqueued. A failed scan makes the command exit non-zero.

Flag Default Description
--project - Project ID whose connected repos to scan (required)
--source - Scan only this connected git source ID
--all false Scan every connected repo in the project
--yes false Skip the confirmation prompt (the cost warning is still printed)
--wait false Wait for each scan to finish and print its RED/YELLOW/GREEN counts

Scan a project’s single connected repo - you’re shown the cost and asked to confirm:

Terminal window
av sast server-scan --project <projectId>

Scan every connected repo without a prompt, for automation (the cost is still printed to stderr):

Terminal window
av sast server-scan --project <projectId> --all --yes

Scan one specific source and block until its RED/YELLOW/GREEN counts come back:

Terminal window
av sast server-scan --project <projectId> --source <sourceId> --wait
Code Meaning
0 Scans enqueued (and, with --wait, completed successfully), or you declined at the confirmation prompt
1 Not logged in, missing --project, ambiguous repo selection, no Enterprise entitlement, weekly quota exhausted, no connected repos, an enqueue failure, or a waited-on scan failed
  • av sast scan - run the engines locally, free and unlimited
  • av sast jobs - show the server-side scan-job history for a project
  • av sast findings - pull the consolidated findings the server holds for a project