av sast server-scan
Ask AlertaVuln to clone and scan a project’s connected git repos on AlertaVuln’s infrastructure - an Enterprise feature, metered against a weekly quota.
Synopsis
Section titled “Synopsis”av sast server-scan [flags]Description
Section titled “Description”av sast server-scan requests a server-side SAST scan of a project’s
connected git repos. Unlike av sast scan, which runs the engines locally
for free, this clones and scans each repo on AlertaVuln’s infrastructure.
It exists for repos you can’t - or don’t want to - check out on a build
agent. Results land in the same consolidated finding set as local scans, so
av sast findings and the Code Scan page show them together. You must be
logged in (av login).
Before anything is enqueued, the command checks your entitlement: a non-Enterprise organisation gets an error quoting the monthly add-on price, and an exhausted weekly quota aborts with nothing enqueued. The quota resets on a rolling 7-day window.
Which repos are scanned depends on the flags. --source scans one connected
git source by its ID; --all scans every connected repo; if the project has
exactly one connected repo it is selected automatically. With several
connected repos and neither flag, the command errors and asks you to pass
--source <id> or --all. Repos are connected to a project in the web app.
After printing the cost, the command asks for a [y/N] confirmation unless
you pass --yes. Declining aborts with nothing enqueued and exits 0. The
cost warning goes to stderr, so stdout stays clean for scripting.
With --wait, each job is polled about every two seconds until it finishes,
then its REDYELLOWGREEN counts are printed. Combined with
--all, scans run one at a time: each repo is enqueued and waited on before
the next is enqueued. A failed scan makes the command exit non-zero.
Options
Section titled “Options”| Flag | Default | Description |
|---|---|---|
--project |
- | Project ID whose connected repos to scan (required) |
--source |
- | Scan only this connected git source ID |
--all |
false |
Scan every connected repo in the project |
--yes |
false |
Skip the confirmation prompt (the cost warning is still printed) |
--wait |
false |
Wait for each scan to finish and print its RED/YELLOW/GREEN counts |
Examples
Section titled “Examples”Scan a project’s single connected repo - you’re shown the cost and asked to confirm:
av sast server-scan --project <projectId>Scan every connected repo without a prompt, for automation (the cost is still printed to stderr):
av sast server-scan --project <projectId> --all --yesScan one specific source and block until its RED/YELLOW/GREEN counts come back:
av sast server-scan --project <projectId> --source <sourceId> --waitExit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 |
Scans enqueued (and, with --wait, completed successfully), or you declined at the confirmation prompt |
1 |
Not logged in, missing --project, ambiguous repo selection, no Enterprise entitlement, weekly quota exhausted, no connected repos, an enqueue failure, or a waited-on scan failed |
See also
Section titled “See also”av sast scan- run the engines locally, free and unlimitedav sast jobs- show the server-side scan-job history for a projectav sast findings- pull the consolidated findings the server holds for a project