AquilaX Docs
Service StatusFeature RequestLogin
  • Documentation
  • Products and Services
    • Demo
      • Security Engineer - Assistant
      • Security Engineer - Chat
      • Scan code Snippet
    • Products
    • Services
      • Vulnerability Triaging
      • AppSec Training
      • DevSecOps Consultation
      • Deployment Options
      • Security Consultation
      • Integrations
    • Company Principles
      • Engineering Principles
      • AI Principles
      • AquilaX Mission
    • Proof of Value (PoV)
    • SLO/SLA/SLI
    • Security Scanners
    • Supported Languages
    • What is AquilaX
    • Success Cases
      • RemoteEngine
    • AquilaX License Model
  • User Manual
    • Access Tokens
    • Scanners
      • Secret Scanning
      • PII Scanner
      • SAST
      • SCA
      • Container Scanning
      • IaC Scanning
      • API Security
      • Malware Scanning
      • AI Generated Code
      • License Scanning
    • DevTools
      • AquilaX CLI
      • CI/CD
        • GitHub Integration
        • GitLab Integration
      • Vulnerability Tickets
        • GitHub Issues
        • GitLab Issues
        • JIRA Tickets
      • IDE
        • VS Code
    • Frameworks
    • Roles
    • Security Policy
    • Comparison
      • ArmorCode vs AquilaX
      • Black Duck vs AquilaX
      • AquilaX vs other Vendors
    • Press and Logo
    • Install AquilaX
    • Public Scan
    • Scanning Setup Guide
    • AI Chat Prompts
  • API Docs
  • Tech Articles
    • Proprietary AI Models
    • AquilaX Securitron
    • Securitron AI Service
    • Secure SDLC (DevSecOps)
    • Bending the technology
    • SecuriTron In Action
    • Future
      • The Future of Code Review
      • Building Superhumans
    • Blog
      • Breaking the Code: AquilaX
      • Rethinking Authentication in 2024
      • Software Supply Chain Security
      • OneFirewall - Network Security
      • The Art of Doing Source Code Review
      • Our Cloud Infrastracture
    • AppSec
      • 10 ‘must’ controls
      • OWASP Top 10
      • MITRE ATT&CK Framework
      • SQL Injection
      • DevSecOps
      • Insider Threats in Application Security
      • Secure API Development
      • RBAC in Applications
      • Security in CI/CD Pipelines
      • Audits in DevSecOps
      • Security Policies
      • S SDLC
      • Multi-Factor Authentication (MFA)
      • API Gateway Security
      • RESTful APIs
      • Microservices
      • Secure API Development
      • API Security Best Practices
    • AI
      • AI part of AppSec
      • NL-JSON Model
      • Findings Review (AquilaX AI)
      • AI-Driven Vulnerability Triage
      • SAST and AI Intersection
    • Tech Events
      • Web Summit 2024
    • ASPM
    • State of Art Secure SDLC
      • Validating Runtime Security
    • Announcements
      • 10 Billion
      • AquilaX Joins NVIDIA Inception
      • AquilaX and Digitense SRL
    • Webinars
      • Unlock the Future of Code Security with AI
  • AI Models
    • AI Scanner
    • Query
    • QnA
    • Security Assistant
    • Review
Powered by GitBook
On this page
  • Step-by-Step Guide
  • 1. Organize Your Groups
  • 2. Clean Up Existing Projects
  • 3. Configure the Security Policy
  • 4. Enable CI/CD Integration
  • 5. Schedule Monthly Full Scans
  • 6. Review Findings with AquilaX
  • 7. Monitor Reports
  • 8. Create a Testing Group (Optional)

Was this helpful?

  1. User Manual

Scanning Setup Guide

Setting Up AquilaX Scanning and Groups: A Guide

Organizations often have multiple repositories distributed across platforms like GitHub and GitLab. While some repositories have CI/CD pipelines enabled, others do not. To ensure comprehensive scanning across all repositories—both on event-based triggers and periodically—it’s essential to establish a well-structured setup. This practice is commonly referred to as Application Security Hygiene and is often a mandatory requirement for maintaining software security compliance.

Here’s how to set up your AquilaX environment for optimal scanning and group management:

Step-by-Step Guide

1. Organize Your Groups

Log in to the AquilaX portal. Create or modify your groups to maintain a simple structure. For most cases, having a single group—let’s call it “Default Group”—is sufficient. This centralizes management and simplifies your setup.

2. Clean Up Existing Projects

If there are pre-existing projects in the group, delete them to start fresh. A clean setup ensures consistency and avoids misconfigurations.

3. Configure the Security Policy

Set up a Security Policy JSON for your group. This policy defines the scanning rules and parameters to ensure uniform application across all repositories.

{
  "": "weekly",
  "": "https://avatars.githubusercontent.com/u/155273638?s=200&v=4",
  "description": "Example Policy for production purposes",
  "author": "<Your team name here>",
  "": [
    "test/*",
    "tests/*",
    "node_modules/*",
    "semgrep-rules/**",
    "yara_rules/**",
    "configs/**"
  ],
  "": "SCRUM",
  "notify_on_failure": true,
  "": true,
  "": "Was found this {{vuln}} on this file {{file}}",
  "": "GitHub, GitLab, Jira",
  "": "AquilaX - {{vuln}}",
  "": [
        "https://github.com/aquilax-ai"
  ],
  "": [
    {
      "compliance": true,
      "enforced": true
    },
    {
      "enforced": true,
      "secret": true
    },
    {
      "enforced": true,
      "pii": true
    },
    {
      "enforced": true,
      "sast": true
    },
    {
      "enforced": true,
      "sca": true,
      "licenses": {
                "mixed_licenses": true,
                "prohibited": [
                  "GPL*",
                  "BSD"
                ]
      },
    },
    {
      "container": true,
      "enforced": true
    },
    {
      "enforced": true,
      "iac": true
    },
    {
      "api": true,
      "enforced": true
    },
    {
      "enforced": true,
      "malware": true
    }
  ],
  "": [
    "all-scanners",
    "prod"
  ],
  "testing": false,
  "": {
    "HIGH": 50,
    "LOW": 99999,
    "MEDIUM": 1000,
    "total": 300
  }
}

4. Enable CI/CD Integration

• For each repository in GitHub or GitLab:

• This ensures that vulnerabilities are identified and addressed in real-time during development.

5. Schedule Monthly Full Scans

Regardless of CI/CD-triggered scans, initiate a full scan of all repositories weekly. This practice captures any vulnerabilities that might be missed in incremental scans.

6. Review Findings with AquilaX

Engage AquilaX’s team to review findings classified as “Unverified”, This step reduces noise by identifying false positives. It also helps train your custom AI model, improving accuracy over time. (Note: This feature is available with the Ultimate License.)

7. Monitor Reports

Access the report page to review detailed findings or wait for the automated weekly report over email for a summary of security insights.

8. Create a Testing Group (Optional)

If needed, set up a separate group for testing or development purposes. This serves as a sandbox environment for experimentation without impacting production scans.

PreviousPublic ScanNextAI Chat Prompts

Last updated 4 months ago

Was this helpful?

• Integrate AquilaX scanning into the CI/CD pipeline to automatically scan code with every software change.

https://docs.aquilax.ai/user-manual/devtools/ci-cd