# Scanning Setup Guide

Organizations often have multiple repositories distributed across platforms like GitHub and GitLab. While some repositories have CI/CD pipelines enabled, others do not. To ensure comprehensive scanning across all repositories—both on event-based triggers and periodically—it’s essential to establish a well-structured setup. This practice is commonly referred to as Application Security Hygiene and is often a mandatory requirement for maintaining software security compliance.\\

Here’s how to set up your AquilaX environment for optimal scanning and group management:

## Step-by-Step Guide

### 1. Organize Your Groups

Log in to the AquilaX portal. Create or modify your groups to maintain a simple structure. For most cases, having **a single group**—let’s call it “*Default Group*”—is sufficient. This centralizes management and simplifies your setup.

### 2. Clean Up Existing Projects

If there are pre-existing projects in the group, **delete them to start fresh**. A clean setup ensures consistency and avoids misconfigurations.

### 3. Configure the Security Policy

Set up a **Security Policy JSON for your group**. This policy defines the scanning rules and parameters to ensure uniform application across all repositories.

<pre class="language-json"><code class="lang-json">{
  "<a data-footnote-ref href="#user-content-fn-1">frequency</a>": "weekly",
  "<a data-footnote-ref href="#user-content-fn-2">avatar</a>": "https://avatars.githubusercontent.com/u/155273638?s=200&#x26;v=4",
  "description": "Example Policy for production purposes",
  "author": "&#x3C;Your team name here>",
  "<a data-footnote-ref href="#user-content-fn-3">ignore</a>": [
    "test/*",
    "tests/*",
    "node_modules/*",
    "semgrep-rules/**",
    "yara_rules/**",
    "configs/**"
  ],
  "<a data-footnote-ref href="#user-content-fn-4">jira_project_key</a>": "SCRUM",
  "notify_on_failure": true,
  "<a data-footnote-ref href="#user-content-fn-5">raise_tickets</a>": true,
  "<a data-footnote-ref href="#user-content-fn-6">ticket_body</a>": "Was found this {{vuln}} on this file {{file}}",
  "<a data-footnote-ref href="#user-content-fn-7">ticket_integration</a>": "GitHub, GitLab, Jira",
  "<a data-footnote-ref href="#user-content-fn-8">ticket_title</a>": "AquilaX - {{vuln}}",
  "<a data-footnote-ref href="#user-content-fn-9">repos</a>": [
        "https://github.com/aquilax-ai"
  ],
  "<a data-footnote-ref href="#user-content-fn-10">scanners</a>": [
    {
      "compliance": true,
      "enforced": true
    },
    {
      "enforced": true,
      "secret": true
    },
    {
      "enforced": true,
      "pii": true
    },
    {
      "enforced": true,
      "sast": true
    },
    {
      "enforced": true,
      "sca": true,
      "licenses": {
                "mixed_licenses": true,
                "prohibited": [
                  "GPL*",
                  "BSD"
                ]
      },
    },
    {
      "container": true,
      "enforced": true
    },
    {
      "enforced": true,
      "iac": true
    },
    {
      "api": true,
      "enforced": true
    },
    {
      "enforced": true,
      "malware": true
    }
  ],
  "<a data-footnote-ref href="#user-content-fn-11">tags</a>": [
    "all-scanners",
    "prod"
  ],
  "testing": false,
  "<a data-footnote-ref href="#user-content-fn-12">threshold</a>": {
    "HIGH": 50,
    "LOW": 99999,
    "MEDIUM": 1000,
    "total": 300
  }
}
</code></pre>

### 4. Enable CI/CD Integration

• For each repository in GitHub or GitLab:

• Integrate AquilaX scanning into the **CI/CD pipeline to automatically scan** code with every software change. <https://docs.aquilax.ai/user-manual/devtools/ci-cd>

• This ensures that vulnerabilities are identified and addressed in real-time during development.

### 5. Schedule Monthly Full Scans

Regardless of CI/CD-triggered scans, initiate a **full scan of all repositories weekly**. This practice captures any vulnerabilities that might be missed in incremental scans.

### 6. Review Findings with AquilaX

Engage AquilaX’s team to review findings classified as “Unverified”, This step **reduces noise by identifying false positives**. It also helps train your custom AI model, improving accuracy over time. (Note: This feature is available with the Ultimate License.)

### 7. Monitor Reports

Access the **report page** to review detailed findings or wait for the automated **weekly report over email** for a summary of security insights.

### 8. Create a Testing Group (Optional)

If needed, set up a **separate group for testing or development purposes**. This serves as a sandbox environment for experimentation without impacting production scans.

[^1]: Ensure all projects are scanned at least every week

[^2]: Link to a public accessible Avatar (optional)

[^3]: Folders to be ignored during scanning

[^4]: JIRA name (Optional)

[^5]: Ability to raise tickets for security issues

[^6]: Ticket Body (optional)

[^7]: Ticketing systems enabled (Optional)

[^8]: Ticket Title (Optional)

[^9]: List of repos subject to this group, can be a single repo or group repos from github and/or gitlab

[^10]: List of scanners enabled

[^11]: Tags associated with the scan (Optional)

[^12]: Threshold used before the CICD block the pipeline for vulnerabilites


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.aquilax.ai/user-manual/scanning-setup-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.