# Configuration Compliance Scanner is configured through environment variables. Copy `.env.example` to `.env` and edit the values. ## Required Settings ### MongoDB ```bash MONGODB_URI=mongodb://root:example@localhost:27017/compliance_scanner?authSource=admin MONGODB_DATABASE=compliance_scanner ``` ### Agent ```bash AGENT_PORT=3001 ``` ### Dashboard ```bash DASHBOARD_PORT=8080 AGENT_API_URL=http://localhost:3001 ``` ## LLM Configuration The AI features (chat, remediation suggestions) use LiteLLM as a proxy to various LLM providers: ```bash LITELLM_URL=http://localhost:4000 LITELLM_API_KEY=your-key LITELLM_MODEL=gpt-4o LITELLM_EMBED_MODEL=text-embedding-3-small ``` The embed model is used for the RAG/AI Chat feature to generate code embeddings. ## Git Provider Tokens ### GitHub ```bash GITHUB_TOKEN=ghp_xxxx GITHUB_WEBHOOK_SECRET=your-webhook-secret ``` ### GitLab ```bash GITLAB_URL=https://gitlab.com GITLAB_TOKEN=glpat-xxxx GITLAB_WEBHOOK_SECRET=your-webhook-secret ``` ## Issue Tracker Integration ### Jira ```bash JIRA_URL=https://your-org.atlassian.net JIRA_EMAIL=user@example.com JIRA_API_TOKEN=your-api-token JIRA_PROJECT_KEY=SEC ``` When configured, new findings automatically create Jira issues in the specified project. ## Scan Schedules Cron expressions for automated scanning: ```bash # Scan every 6 hours SCAN_SCHEDULE=0 0 */6 * * * # Check for new CVEs daily at midnight CVE_MONITOR_SCHEDULE=0 0 0 * * * ``` ## Search Engine SearXNG is used for CVE enrichment and vulnerability research: ```bash SEARXNG_URL=http://localhost:8888 ``` ## NVD API An NVD API key increases rate limits for CVE lookups: ```bash NVD_API_KEY=your-nvd-api-key ``` Get a free key at [https://nvd.nist.gov/developers/request-an-api-key](https://nvd.nist.gov/developers/request-an-api-key). ## MCP Server The MCP server exposes compliance data to external LLMs via the Model Context Protocol. See [MCP Server](/features/mcp-server) for full details. ```bash # Set MCP_PORT to enable HTTP transport (omit for stdio mode) MCP_PORT=8090 ``` The MCP server shares the `MONGODB_URI` and `MONGODB_DATABASE` variables with the rest of the platform. ## Clone Path Where the agent stores cloned repository files: ```bash GIT_CLONE_BASE_PATH=/tmp/compliance-scanner/repos ``` ## All Environment Variables | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `MONGODB_URI` | Yes | — | MongoDB connection string | | `MONGODB_DATABASE` | No | `compliance_scanner` | Database name | | `AGENT_PORT` | No | `3001` | Agent REST API port | | `DASHBOARD_PORT` | No | `8080` | Dashboard web UI port | | `AGENT_API_URL` | No | `http://localhost:3001` | Agent URL for dashboard | | `LITELLM_URL` | No | `http://localhost:4000` | LiteLLM proxy URL | | `LITELLM_API_KEY` | No | — | LiteLLM API key | | `LITELLM_MODEL` | No | `gpt-4o` | LLM model for analysis | | `LITELLM_EMBED_MODEL` | No | `text-embedding-3-small` | Embedding model for RAG | | `GITHUB_TOKEN` | No | — | GitHub personal access token | | `GITHUB_WEBHOOK_SECRET` | No | — | GitHub webhook signing secret | | `GITLAB_URL` | No | `https://gitlab.com` | GitLab instance URL | | `GITLAB_TOKEN` | No | — | GitLab access token | | `GITLAB_WEBHOOK_SECRET` | No | — | GitLab webhook signing secret | | `JIRA_URL` | No | — | Jira instance URL | | `JIRA_EMAIL` | No | — | Jira account email | | `JIRA_API_TOKEN` | No | — | Jira API token | | `JIRA_PROJECT_KEY` | No | — | Jira project key for issues | | `SEARXNG_URL` | No | `http://localhost:8888` | SearXNG instance URL | | `NVD_API_KEY` | No | — | NVD API key for CVE lookups | | `SCAN_SCHEDULE` | No | `0 0 */6 * * *` | Cron schedule for scans | | `CVE_MONITOR_SCHEDULE` | No | `0 0 0 * * *` | Cron schedule for CVE checks | | `GIT_CLONE_BASE_PATH` | No | `/tmp/compliance-scanner/repos` | Local clone directory | | `KEYCLOAK_URL` | No | — | Keycloak server URL | | `KEYCLOAK_REALM` | No | — | Keycloak realm name | | `KEYCLOAK_CLIENT_ID` | No | — | Keycloak client ID | | `REDIRECT_URI` | No | — | OAuth callback URL | | `APP_URL` | No | — | Application root URL | | `OTEL_EXPORTER_OTLP_ENDPOINT` | No | — | OTLP collector endpoint | | `OTEL_SERVICE_NAME` | No | — | OpenTelemetry service name | | `MCP_PORT` | No | — | MCP HTTP transport port (omit for stdio) |