sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bf5a45c958a00d24d902b9cd67cb754f4bf66a6f
compliance-scanner-agent/docs/guide/getting-started.md
Sharang Parnerkar 94552d1626
All checks were successful
CI / Format (push) Successful in 3s
Details
CI / Clippy (push) Successful in 3m13s
Details
CI / Security Audit (push) Has been skipped
Details
CI / Tests (push) Has been skipped
Details
Add VitePress documentation site with complete user guides 
Covers getting started, repositories, scanning, findings, configuration,
SBOM, code graph, impact analysis, DAST, AI chat, issue tracker integration,
Docker deployment, environment variables, Keycloak auth, and OpenTelemetry.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 01:18:58 +01:00

2.1 KiB
Raw Blame History

Getting Started

Compliance Scanner is a security compliance platform that scans your Git repositories for vulnerabilities, builds software bills of materials, performs dynamic application testing, and provides AI-powered code intelligence.

Architecture

The platform consists of three main components:

  • Agent — Background service that clones repositories, runs scans, builds graphs, and exposes a REST API
  • Dashboard — Web UI built with Dioxus (Rust full-stack framework) for viewing results and managing repositories
  • MongoDB — Database for storing all scan results, findings, SBOM data, and graph structures

Quick Start with Docker Compose

The fastest way to get running:

# Clone the repository
git clone <repo-url> compliance-scanner
cd compliance-scanner

# Copy and configure environment variables
cp .env.example .env
# Edit .env with your settings (see Configuration)

# Start all services
docker-compose up -d

This starts:

  • MongoDB on port 27017
  • Agent API on port 3001
  • Dashboard on port 8080
  • Chromium (for DAST crawling) on port 3003

Open the dashboard at http://localhost:8080.

What Happens During a Scan

When you add a repository and trigger a scan, the agent runs through these phases:

  1. Clone — Clones or pulls the latest code from the Git remote
  2. SAST — Runs static analysis using Semgrep with rules for OWASP, GDPR, OAuth, and general security
  3. SBOM — Extracts all dependencies using Syft, identifying packages, versions, licenses, and known vulnerabilities
  4. CVE Check — Cross-references dependencies against the NVD database for known CVEs
  5. Graph Build — Parses the codebase to construct a code knowledge graph of functions, classes, and their relationships
  6. Issue Sync — Creates or updates issues in connected trackers (GitHub, GitLab, Jira) for new findings

Each phase produces results visible in the dashboard immediately.

Next Steps

Reference in New Issue View Git Blame Copy Permalink