Sharang Parnerkar
7e12d1433a
Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #4
2.1 KiB
2.1 KiB
Getting Started
Compliance Scanner is a security compliance platform that scans your Git repositories for vulnerabilities, builds software bills of materials, performs dynamic application testing, and provides AI-powered code intelligence.
Architecture
The platform consists of three main components:
- Agent — Background service that clones repositories, runs scans, builds graphs, and exposes a REST API
- Dashboard — Web UI built with Dioxus (Rust full-stack framework) for viewing results and managing repositories
- MongoDB — Database for storing all scan results, findings, SBOM data, and graph structures
Quick Start with Docker Compose
The fastest way to get running:
# Clone the repository
git clone <repo-url> compliance-scanner
cd compliance-scanner
# Copy and configure environment variables
cp .env.example .env
# Edit .env with your settings (see Configuration)
# Start all services
docker-compose up -d
This starts:
- MongoDB on port
27017 - Agent API on port
3001 - Dashboard on port
8080 - Chromium (for DAST crawling) on port
3003
Open the dashboard at http://localhost:8080.
What Happens During a Scan
When you add a repository and trigger a scan, the agent runs through these phases:
- Clone — Clones or pulls the latest code from the Git remote
- SAST — Runs static analysis using Semgrep with rules for OWASP, GDPR, OAuth, and general security
- SBOM — Extracts all dependencies using Syft, identifying packages, versions, licenses, and known vulnerabilities
- CVE Check — Cross-references dependencies against the NVD database for known CVEs
- Graph Build — Parses the codebase to construct a code knowledge graph of functions, classes, and their relationships
- Issue Sync — Creates or updates issues in connected trackers (GitHub, GitLab, Jira) for new findings
Each phase produces results visible in the dashboard immediately.