# Scanning Setup Guide

Organizations often have multiple repositories distributed across platforms like GitHub and GitLab. While some repositories have CI/CD pipelines enabled, others do not. To ensure comprehensive scanning across all repositories—both on event-based triggers and periodically—it’s essential to establish a well-structured setup. This practice is commonly referred to as Application Security Hygiene and is often a mandatory requirement for maintaining software security compliance.\\

Here’s how to set up your AquilaX environment for optimal scanning and group management:

## Step-by-Step Guide

### 1. Organize Your Groups

Log in to the AquilaX portal. Create or modify your groups to maintain a simple structure. For most cases, having **a single group**—let’s call it “*Default Group*”—is sufficient. This centralizes management and simplifies your setup.

### 2. Clean Up Existing Projects

If there are pre-existing projects in the group, **delete them to start fresh**. A clean setup ensures consistency and avoids misconfigurations.

### 3. Configure the Security Policy

Set up a **Security Policy JSON for your group**. This policy defines the scanning rules and parameters to ensure uniform application across all repositories.

<pre class="language-json"><code class="lang-json">{
  "<a data-footnote-ref href="#user-content-fn-1">frequency</a>": "weekly",
  "<a data-footnote-ref href="#user-content-fn-2">avatar</a>": "https://avatars.githubusercontent.com/u/155273638?s=200&#x26;v=4",
  "description": "Example Policy for production purposes",
  "author": "&#x3C;Your team name here>",
  "<a data-footnote-ref href="#user-content-fn-3">ignore</a>": [
    "test/*",
    "tests/*",
    "node_modules/*",
    "semgrep-rules/**",
    "yara_rules/**",
    "configs/**"
  ],
  "<a data-footnote-ref href="#user-content-fn-4">jira_project_key</a>": "SCRUM",
  "notify_on_failure": true,
  "<a data-footnote-ref href="#user-content-fn-5">raise_tickets</a>": true,
  "<a data-footnote-ref href="#user-content-fn-6">ticket_body</a>": "Was found this {{vuln}} on this file {{file}}",
  "<a data-footnote-ref href="#user-content-fn-7">ticket_integration</a>": "GitHub, GitLab, Jira",
  "<a data-footnote-ref href="#user-content-fn-8">ticket_title</a>": "AquilaX - {{vuln}}",
  "<a data-footnote-ref href="#user-content-fn-9">repos</a>": [
        "https://github.com/aquilax-ai"
  ],
  "<a data-footnote-ref href="#user-content-fn-10">scanners</a>": [
    {
      "compliance": true,
      "enforced": true
    },
    {
      "enforced": true,
      "secret": true
    },
    {
      "enforced": true,
      "pii": true
    },
    {
      "enforced": true,
      "sast": true
    },
    {
      "enforced": true,
      "sca": true,
      "licenses": {
                "mixed_licenses": true,
                "prohibited": [
                  "GPL*",
                  "BSD"
                ]
      },
    },
    {
      "container": true,
      "enforced": true
    },
    {
      "enforced": true,
      "iac": true
    },
    {
      "api": true,
      "enforced": true
    },
    {
      "enforced": true,
      "malware": true
    }
  ],
  "<a data-footnote-ref href="#user-content-fn-11">tags</a>": [
    "all-scanners",
    "prod"
  ],
  "testing": false,
  "<a data-footnote-ref href="#user-content-fn-12">threshold</a>": {
    "HIGH": 50,
    "LOW": 99999,
    "MEDIUM": 1000,
    "total": 300
  }
}
</code></pre>

### 4. Enable CI/CD Integration

• For each repository in GitHub or GitLab:

• Integrate AquilaX scanning into the **CI/CD pipeline to automatically scan** code with every software change. <https://docs.aquilax.ai/user-manual/devtools/ci-cd>

• This ensures that vulnerabilities are identified and addressed in real-time during development.

### 5. Schedule Monthly Full Scans

Regardless of CI/CD-triggered scans, initiate a **full scan of all repositories weekly**. This practice captures any vulnerabilities that might be missed in incremental scans.

### 6. Review Findings with AquilaX

Engage AquilaX’s team to review findings classified as “Unverified”, This step **reduces noise by identifying false positives**. It also helps train your custom AI model, improving accuracy over time. (Note: This feature is available with the Ultimate License.)

### 7. Monitor Reports

Access the **report page** to review detailed findings or wait for the automated **weekly report over email** for a summary of security insights.

### 8. Create a Testing Group (Optional)

If needed, set up a **separate group for testing or development purposes**. This serves as a sandbox environment for experimentation without impacting production scans.

[^1]: Ensure all projects are scanned at least every week

[^2]: Link to a public accessible Avatar (optional)

[^3]: Folders to be ignored during scanning

[^4]: JIRA name (Optional)

[^5]: Ability to raise tickets for security issues

[^6]: Ticket Body (optional)

[^7]: Ticketing systems enabled (Optional)

[^8]: Ticket Title (Optional)

[^9]: List of repos subject to this group, can be a single repo or group repos from github and/or gitlab

[^10]: List of scanners enabled

[^11]: Tags associated with the scan (Optional)

[^12]: Threshold used before the CICD block the pipeline for vulnerabilites