Scanning Setup Guide

Organizations often have multiple repositories distributed across platforms like GitHub and GitLab. While some repositories have CI/CD pipelines enabled, others do not. To ensure comprehensive scanning across all repositories—both on event-based triggers and periodically—it’s essential to establish a well-structured setup. This practice is commonly referred to as Application Security Hygiene and is often a mandatory requirement for maintaining software security compliance.

Here’s how to set up your AquilaX environment for optimal scanning and group management:

Step-by-Step Guide

1. Organize Your Groups

Log in to the AquilaX portal. Create or modify your groups to maintain a simple structure. For most cases, having a single group—let’s call it “Default Group”—is sufficient. This centralizes management and simplifies your setup.

2. Clean Up Existing Projects

If there are pre-existing projects in the group, delete them to start fresh. A clean setup ensures consistency and avoids misconfigurations.

3. Configure the Security Policy

Set up a Security Policy JSON for your group. This policy defines the scanning rules and parameters to ensure uniform application across all repositories.

{
  "frequency": "weekly",
  "avatar": "https://avatars.githubusercontent.com/u/155273638?s=200&v=4",
  "description": "Example Policy for production purposes",
  "author": "<Your team name here>",
  "ignore": [
    "test/*",
    "tests/*",
    "node_modules/*",
    "semgrep-rules/**",
    "yara_rules/**",
    "configs/**"
  ],
  "jira_project_key": "SCRUM",
  "notify_on_failure": true,
  "raise_tickets": true,
  "ticket_body": "Was found this {{vuln}} on this file {{file}}",
  "ticket_integration": "GitHub, GitLab, Jira",
  "ticket_title": "AquilaX - {{vuln}}",
  "repos": [
        "https://github.com/aquilax-ai"
  ],
  "scanners": [
    {
      "compliance": true,
      "enforced": true
    },
    {
      "enforced": true,
      "secret": true
    },
    {
      "enforced": true,
      "pii": true
    },
    {
      "enforced": true,
      "sast": true
    },
    {
      "enforced": true,
      "sca": true,
      "licenses": {
                "mixed_licenses": true,
                "prohibited": [
                  "GPL*",
                  "BSD"
                ]
      },
    },
    {
      "container": true,
      "enforced": true
    },
    {
      "enforced": true,
      "iac": true
    },
    {
      "api": true,
      "enforced": true
    },
    {
      "enforced": true,
      "malware": true
    }
  ],
  "tags": [
    "all-scanners",
    "prod"
  ],
  "testing": false,
  "threshold": {
    "HIGH": 50,
    "LOW": 99999,
    "MEDIUM": 1000,
    "total": 300
  }
}

4. Enable CI/CD Integration

• For each repository in GitHub or GitLab:

• Integrate AquilaX scanning into the CI/CD pipeline to automatically scan code with every software change. https://docs.aquilax.ai/user-manual/devtools/ci-cd

• This ensures that vulnerabilities are identified and addressed in real-time during development.

5. Schedule Monthly Full Scans

Regardless of CI/CD-triggered scans, initiate a full scan of all repositories weekly. This practice captures any vulnerabilities that might be missed in incremental scans.

6. Review Findings with AquilaX

Engage AquilaX’s team to review findings classified as “Unverified”, This step reduces noise by identifying false positives. It also helps train your custom AI model, improving accuracy over time. (Note: This feature is available with the Ultimate License.)

7. Monitor Reports

Access the report page to review detailed findings or wait for the automated weekly report over email for a summary of security insights.

8. Create a Testing Group (Optional)

If needed, set up a separate group for testing or development purposes. This serves as a sandbox environment for experimentation without impacting production scans.