compliance-scanner-agent/docs/guide/repositories.md

# Adding Repositories

Repositories are the core resource in Certifai. Each tracked repository is scanned on a schedule, and its results are available across all features -- findings, SBOM, code graph, AI chat, and issue tracking.

## Adding a Repository

1. Navigate to **Repositories** in the sidebar
2. Click **Add Repository**
3. Fill in the form:
   - **Name** -- a display name for the repository
   - **Git URL** -- the clone URL (HTTPS or SSH), e.g. `https://github.com/org/repo.git` or `git@github.com:org/repo.git`
   - **Default Branch** -- the branch to scan, e.g. `main` or `master`
4. Click **Add**

![Add repository dialog](/screenshots/add-repository.png)

The repository appears in the list immediately. It will not be scanned until you trigger a scan manually or the next scheduled scan runs.

## Public vs Private Repositories

**Public repositories** can be cloned using an HTTPS URL with no additional setup.

**Private repositories** require SSH access. When you add a repository with an SSH URL (e.g. `git@github.com:org/repo.git`), Certifai uses an SSH deploy key to authenticate.

### Getting the SSH Public Key

To grant Certifai access to a private repository:

1. Go to the **Repositories** page
2. The platform's SSH public key is available for copying
3. Add this key as a **deploy key** in your Git hosting provider:
   - **GitHub**: Repository Settings > Deploy keys > Add deploy key
   - **GitLab**: Repository Settings > Repository > Deploy keys
   - **Gitea**: Repository Settings > Deploy Keys > Add Deploy Key

::: tip
Deploy keys are scoped to a single repository and are read-only by default. This is the recommended approach for granting Certifai access to private code.
:::

## Configuring an Issue Tracker

You can connect an issue tracker so that new findings are automatically created as issues in your existing workflow.

When adding or editing a repository, expand the **Issue Tracker** section to configure:

![Add repository dialog with issue tracker options](/screenshots/add-repository-tracker.png)

### Supported Trackers

| Tracker | Required Fields |
|---------|----------------|
| **GitHub Issues** | Repository owner, repository name, API token |
| **GitLab Issues** | Project ID, GitLab URL, API token |
| **Gitea Issues** | Repository owner, repository name, Gitea URL, API token |
| **Jira** | Project key, Jira URL, email, API token |

Each tracker is configured per-repository, so different repositories can use different trackers.

## Editing Repository Settings

Click the **Edit** button on any repository row to modify its settings, including the issue tracker configuration.

![Edit repository modal with tracker configuration](/screenshots/edit-repository.png)

From the edit modal you can:

- Change the repository name, Git URL, or default branch
- Add, modify, or remove issue tracker configuration
- View the webhook URL and secret for this repository (see [Webhooks & PR Reviews](/guide/webhooks))

## Repository List

The repositories page shows all tracked repositories in a table.

![Repository list table](/screenshots/repositories-list.png)

| Column | Description |
|--------|-------------|
| Name | Repository display name |
| Git URL | Clone URL |
| Branch | Default branch being scanned |
| Findings | Total number of security findings |
| Last Scanned | Relative timestamp of the most recent scan |

## Triggering a Scan

Click the **Scan** button on any repository row to trigger an immediate scan. The scan runs in the background through all phases (clone, SAST, SBOM, CVE, graph, issue sync). You can monitor progress on the Overview page under recent scan runs.

## Deleting a Repository

Click the **Delete** button on a repository row. A confirmation dialog appears warning that this action permanently removes:

- All security findings
- SBOM entries and vulnerability data
- Scan run history
- Code graph data
- Embedding vectors (for AI chat)
- CVE alerts
- Tracker issues

This action cannot be undone.