Assets & Repositories¶
Assets are the foundational building blocks of Mayo ASPM. Every security finding, scan, and policy evaluation is tied back to an asset — making them the starting point for your entire application security posture.
What Is an Asset?¶
An asset in Mayo ASPM represents a code repository that you want to monitor for security vulnerabilities. Each asset tracks:
- The repository name and owner
- The default branch being monitored
- Which projects the asset belongs to
- Its active/inactive status
- Scan history and last sync timestamp
Assets are the link between your source code and your security findings. When a scanner runs against an asset, the resulting findings are normalized, deduplicated, and stored against that asset for triage and tracking.
Two Types of Assets¶
Mayo ASPM supports two distinct methods for adding assets to your organization:
| Feature | Integration Assets | Public Assets |
|---|---|---|
| How added | Automatically synced via GitHub App | Manually added by pasting a URL |
| Repository visibility | Public or private | Public only |
| PR scanning | Supported | Not supported |
| Scheduled scans | Supported | Supported |
| Ad-hoc scans | Supported | Supported |
| Automatic sync | Yes — repos sync nightly | No automatic metadata sync |
| Branch detection | Automatic (default branch) | Automatic (default branch) |
Integration Assets¶
Integration assets are repositories synced automatically when you install the Mayo ASPM GitHub App on your GitHub organization. Once the app is installed:
- Mayo ASPM discovers all repositories the app has access to
- Each repository is created as an asset in your organization
- Repository metadata (default branch, visibility, description) is synced
- New repositories added to the GitHub App are picked up during the nightly sync
Recommended Approach
Integration assets unlock the full power of Mayo ASPM, including PR scanning, automatic branch detection, and nightly scheduled scans. Install the GitHub App for the best experience.
Public Assets¶
Public assets are repositories you add manually by providing a GitHub URL. This is useful for:
- Monitoring open-source dependencies you rely on
- Scanning public repositories without installing the GitHub App
- Quick one-off security assessments of public code
Limitations
Public assets do not support PR scanning because Mayo ASPM does not have webhook access to repositories added this way. To enable PR scanning, connect via the GitHub App integration instead.
How Assets Relate to Projects¶
Every asset belongs to at least one project. Projects are organizational containers that group related assets together — for example, by team, product line, or business unit.
When an asset is created, Mayo ASPM automatically generates a project for it if one does not already exist. You can also assign assets to additional projects manually or through OPA policies.
Organization
├── Project: Payment Service
│ ├── Asset: payments-api
│ ├── Asset: payments-frontend
│ └── Asset: payments-shared-lib
├── Project: Auth Platform
│ ├── Asset: auth-service
│ └── Asset: auth-sdk
└── Project: Open Source Monitoring
├── Asset: lodash (public)
└── Asset: express (public)
The relationship between assets and projects is many-to-many — a single asset can belong to multiple projects, and a single project can contain many assets.
The Assets Table¶
The main Assets page displays all of your organization's assets in a paginated, searchable table. Here is what each column shows:
| Column | Description |
|---|---|
| Repository | The full repository name (e.g., org/repo-name). Clicking the name navigates to the asset detail page. |
| Type | A badge indicating how the asset was added: Integration (blue) or Public (gray). |
| Branch | The default branch being monitored (e.g., main, master, develop). |
| Projects | A count badge showing how many projects this asset belongs to. Click the badge to open a modal listing all associated projects. |
| Active | A toggle indicating whether the asset is actively monitored. Inactive assets are excluded from scheduled scans. |
| Last Synced | The timestamp of the last metadata sync from GitHub. |
| Scans | The total number of completed scans for this asset. |
| Actions | A Scan button to trigger an ad-hoc scan immediately. |
Column Sorting
Click any column header to sort the table by that column. Click again to reverse the sort order.
Quick Actions¶
From the Assets table, you can:
- Trigger a scan — Click the Scan button on any row to open the scan configuration modal
- View asset details — Click the repository name to see full details, findings, and scan history
- View projects — Click the project count badge to see which projects the asset belongs to
- Add a public asset — Click the Add Asset button in the top-right corner
Next Steps¶
- Adding Public Repos — Learn how to manually add public repositories
- Managing Assets — Deep dive into filtering, searching, and managing your asset inventory