Open Source Project Update: Repository Scanner
Tech
In December 2022 ABN AMRO launched Open Source project “Repository Scanner” on the ABN AMRO Github account. Read an update of the team behind the Repository Scanner.
Our experience after the launch
After the launch, as with any new project, we ran into some challenges to figure out. For instance, support for open source contributors, figuring out the roadmap, patching security vulnerabilities, keeping a steady release pace, and engaging with the open source community.
We are very proud to say that we have reached the minor milestone of 100 stars on Github. Stars are a common method by developers to add projects to their list of interesting projects, or just check back on the project once in a while.
Even better than stars, are the interactions we have had with a couple of companies and agencies in The Netherlands that have expressed interest in using Repository Scanner for various use cases. Helping them out with basic questions and going as far as walking them through the deployment setup is something the team behind Repository Scanner takes great pleasure in.
Repository Scanner updates
Some of the commonly asked questions have to do with the setup of Repository Scanner. To accommodate a smooth deployment a Wizard has been released which guides developers through all the required settings they need to get Repository Scanner up and running in their local or server environment.
Functionally there have been many changes since the initial release of version 1.0.0. Recently version 1.4.0 has been released which is in fact the nineth release of Repository Scanner. Included in the latest release are all kind of metrics, improved triage flows for findings, performance improvements, dependency upgrades and patches, API changes, and much more.
We support Open Source
ABN AMRO is not only providing Repository Scanner to the open source community, but also supports open source in general. An example is a recent pull request that was merged for the open source project GitLeaks which is a dependency in Repository Scanner. The pull request fixed a bug in GitLeaks and has been merged into the latest released version of GitLeaks by the maintainers of that project.
Repository Scanner is used internally within ABN AMRO by a couple of teams, in 3 different scenario’s. First of all, the scans run continuously across all source code in all projects and repositories to catch hard-coded secrets in every commit ever made. Developers are informed about detected secrets and need to rotate the secret, parameterize the secret and if possible remove the commit from history.
Secondly, Repository Scanner runs with every CI build in all CI pipelines. The code is scanned for a sub-set of hard-coded secrets that are the most severe if exposed and the build is set to warning mode once a secret is detected. The true positive percentage for the CI-scans is upwards of 95%.
Finally, Repository Scanner is ran locally as a command-line tool to do a quick scan of a local code base prior to committing. This enables developers to prevent new hard-coded secrets from going into the source code repository undetected.
Contribute to the project
We are looking for active contributors to Repository Scanner on Github. Anyone interested in contributing is encouraged to make a pull request, create an issue or just reach out to us via resc@nl.abnamro.com.
