Skip to Content
Alprina is in active development. Join us in building the future of security scanning.
Security AgentsCode Security Agent

Code Security Agent

The Code Security Agent performs Static Application Security Testing (SAST) to identify vulnerabilities in source code before deployment.

Overview

Agent Name: CodeSecurityAgent Scan Type: code Credit Cost: 1 credit (standard), 0.5 (quick), 2 (comprehensive) Languages Supported: Python, JavaScript, TypeScript, Java, Go, Rust, PHP, Ruby, C/C++

Capabilities

Vulnerability Detection

  • Injection Attacks

    • SQL Injection (CWE-89)
    • Command Injection (CWE-78)
    • LDAP Injection (CWE-90)
    • XML Injection (CWE-91)
    • XSS (CWE-79)

  • Authentication & Authorization

    • Broken authentication (CWE-287)
    • Insecure session management
    • Missing authorization checks
    • Privilege escalation vulnerabilities

  • Cryptography

    • Weak encryption algorithms
    • Hardcoded secrets (CWE-798)
    • Insecure random number generation
    • Certificate validation issues

  • Data Handling

    • Insecure deserialization (CWE-502)
    • Path traversal (CWE-22)
    • Information disclosure
    • Sensitive data exposure

  • Configuration

    • Security misconfigurations
    • Debug mode enabled
    • Insecure defaults
    • Missing security headers

Code Quality

  • Dependency vulnerabilities
  • Outdated libraries
  • Unused code
  • Dead code detection

Usage

CLI

# Basic scan
alprina scan ./src --type code
 
# Specify language
alprina scan ./src --type code --language python
 
# Comprehensive scan
alprina scan ./src --type code --profile comprehensive
 
# With specific checks
alprina scan ./src --type code --check-secrets --check-injection

API

curl -X POST https://api.alprina.com/v1/scan/code \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "target": "./src",
    "language": "python",
    "scan_profile": "comprehensive",
    "options": {
      "check_dependencies": true,
      "check_secrets": true,
      "check_compliance": true
    }
  }'

Configuration Options

OptionTypeDefaultDescription
check_dependenciesbooleantrueScan dependencies for vulnerabilities
check_secretsbooleantrueDetect hardcoded secrets
check_compliancebooleanfalseCheck OWASP/CWE compliance
exclude_pathsarray[]Paths to exclude from scan
severity_thresholdstring”low”Minimum severity to report
max_findingsinteger1000Maximum findings to return

Example Output

{
  "scan_id": "scan_abc123",
  "status": "completed",
  "agent": "CodeSecurityAgent",
  "findings": [
    {
      "id": "finding_001",
      "severity": "high",
      "category": "injection",
      "title": "SQL Injection Vulnerability",
      "description": "User input directly concatenated into SQL query without sanitization",
      "file": "src/database.py",
      "line": 42,
      "code_snippet": "query = f\"SELECT * FROM users WHERE id = {user_id}\"",
      "recommendation": "Use parameterized queries with placeholders",
      "remediation_code": "query = \"SELECT * FROM users WHERE id = ?\"\ncursor.execute(query, (user_id,))",
      "cwe": "CWE-89",
      "owasp": "A03:2021 - Injection",
      "cvss_score": 8.6,
      "confidence": "high"
    }
  ],
  "summary": {
    "total_findings": 12,
    "critical": 0,
    "high": 2,
    "medium": 5,
    "low": 5
  },
  "metadata": {
    "files_analyzed": 24,
    "lines_of_code": 3542,
    "scan_duration_ms": 2450
  }
}

Best Practices

1. Regular Scans

Run code security scans regularly:

  • Before every commit (pre-commit hook)
  • In CI/CD pipeline
  • Weekly comprehensive scans

2. Integrate with CI/CD

# GitHub Actions example
- name: Alprina Security Scan
  run: |
    alprina scan ./src --type code --format json --output scan-results.json
    alprina report scan-results.json --fail-on high

3. Fix High-Severity Issues First

Prioritize findings by severity:

  1. Critical - Fix immediately
  2. High - Fix within 1 week
  3. Medium - Fix within 1 month
  4. Low - Address in maintenance cycles

4. Use Exclusions Wisely

Exclude files that don’t need scanning:

alprina scan ./src \
  --exclude "*/tests/*" \
  --exclude "*/vendor/*" \
  --exclude "*/node_modules/*"

5. Verify Fixes

After fixing vulnerabilities, use the retester:

alprina retest scan_abc123 --finding finding_001

Language-Specific Features

Python

  • Django security checks
  • Flask security analysis
  • SQLAlchemy query analysis
  • Pickle deserialization detection

JavaScript/TypeScript

  • Express.js security
  • React XSS detection
  • Prototype pollution
  • npm dependency scanning

Java

  • Spring Security analysis
  • Struts vulnerabilities
  • JPA query injection
  • Log4j detection

Go

  • SQL injection in database/sql
  • Command injection
  • Path traversal
  • Cryptographic issues

Common Findings

SQL Injection

Problem:

query = f"SELECT * FROM users WHERE id = {user_id}"

Fix:

query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))

Hardcoded Secrets

Problem:

API_KEY = "sk-abc123..."

Fix:

import os
API_KEY = os.getenv("API_KEY")

Command Injection

Problem:

os.system(f"ping {hostname}")

Fix:

subprocess.run(["ping", hostname], check=True)

Path Traversal

Problem:

file_path = f"/uploads/{filename}"
with open(file_path) as f:
    content = f.read()

Fix:

import os
safe_path = os.path.join("/uploads", os.path.basename(filename))
with open(safe_path) as f:
    content = f.read()

Performance Tips

  1. Use Quick Profile for CI/CD: Faster feedback in pipelines
  2. Scan Changed Files Only: Use git diff to identify files
  3. Cache Results: Reuse results for unchanged files
  4. Parallel Scanning: Scan multiple directories in parallel

Limitations

  • Cannot detect runtime vulnerabilities
  • May produce false positives (verify findings)
  • Limited to static analysis (no dynamic testing)
  • Requires source code access

Integration Examples

Pre-commit Hook

#!/bin/bash
# .git/hooks/pre-commit
 
echo "Running Alprina security scan..."
alprina scan ./src --type code --profile quick --fail-on high
 
if [ $? -ne 0 ]; then
  echo "Security scan failed. Commit aborted."
  exit 1
fi

GitHub Actions

name: Security Scan
 
on: [push, pull_request]
 
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Install Alprina
        run: pip install alprina-cli
      - name: Run security scan
        run: alprina scan ./src --type code --fail-on high
        env:
          ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}

FAQs

Q: How accurate is the Code Security Agent? A: The agent has >95% accuracy with low false positive rates. Always verify critical findings.

Q: Can it scan multiple languages in one project? A: Yes, the agent auto-detects languages and uses appropriate analysis techniques.

Q: How do I reduce false positives? A: Use --confidence high to show only high-confidence findings.

Q: Does it check dependencies? A: Yes, when check_dependencies is enabled, it scans for known CVEs in dependencies.

Last updated on
CI/CD Guardian AgentDFIR Agent