Skip to content

Scheduled Scans

Scheduled scans provide continuous, automated security monitoring across all active assets in your organization. Every night, Mayo ASPM runs a full scan pipeline — ensuring your security posture is always up to date without manual intervention.

How Nightly Scans Work

Mayo ASPM uses Apache Airflow to orchestrate a two-phase nightly pipeline:

Phase 1: Repository Sync (2:00 AM UTC)

Before scanning begins, Mayo ASPM synchronizes repository metadata from GitHub:

  1. For each integration asset, the GitHub App fetches the latest:
    • Default branch name
    • Repository description
    • Repository visibility (public/private)
    • Active/archived status
  2. New repositories added to the GitHub App since the last sync are discovered and created as assets
  3. Archived repositories are flagged but not automatically deactivated
  4. The Last Synced timestamp on each asset is updated

Public Assets

Public assets (manually added) are not included in the repository sync phase. Their metadata reflects the state captured when they were initially added.

Phase 2: Scheduled Scans (3:00 AM UTC)

One hour after the repo sync completes, the scan pipeline begins:

  1. Mayo ASPM queries all active assets in your organization
  2. For each active asset, scans are queued using the configured scanner set
  3. Scans execute against each asset's default branch
  4. Results are parsed, deduplicated, and stored as findings
  5. OPA policies are evaluated against new findings (if configured)
2:00 AM UTC  ─── Repository Sync ───────────────┐
3:00 AM UTC  ─── Scan Pipeline Begins ───────────┤
             │                                    │
             ├── Asset 1: OpenGrep scan           │
             ├── Asset 1: Trivy scan              │
             ├── Asset 2: OpenGrep scan           │
             ├── Asset 2: Trivy scan              │
             ├── ...                              │
             └── Asset N: All configured scans    │
~5:00 AM UTC ─── Pipeline Completes ─────────────┘

What Gets Scanned

Included in Nightly Scans

Criteria Included?
Integration assets with Active status Yes
Public assets with Active status Yes
Assets with Inactive status No
Newly synced repositories (from Phase 1) Yes, if set to Active

Default Scanner Configuration

By default, scheduled scans run the following scanners against each asset:

Scanner Rule Set Purpose
OpenGrep Default Broad SAST coverage
Trivy Default Dependency vulnerability detection
Gitleaks Default Secrets detection

Customizing Scheduled Scanners

You can customize which scanners run during scheduled scans through your organization settings or via the API. See the Configuring via API Keys section below.

The Airflow DAG

The scheduled scan pipeline is managed by an Apache Airflow Directed Acyclic Graph (DAG). The DAG handles:

  • Task ordering — Ensures repo sync completes before scans begin
  • Retry logic — Failed scans are retried up to 2 times with exponential backoff
  • Parallelism — Multiple scans run concurrently up to your plan's concurrency limit
  • Timeouts — Individual scans that exceed the maximum duration are terminated
  • Alerting — Failed DAG runs generate alerts for the Mayo ASPM operations team

DAG Schedule

Task Schedule Duration (typical)
Repository sync 2:00 AM UTC daily 5-15 minutes
Scan pipeline 3:00 AM UTC daily 1-3 hours (varies by asset count)

Scan Window

If your organization has a large number of assets, the scan pipeline may take several hours to complete. Scans are prioritized by asset creation date (oldest first) to ensure long-standing assets are always covered, even if the pipeline runs long.

Configuring via API Keys

To customize scheduled scan behavior programmatically, use the Mayo ASPM API with an API key:

Setting Scheduled Scanners

Configure which scanners run during nightly scans:

curl -X PUT https://mayoaspm.com/api/v1/org/scheduled-scan-config \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "scanners": ["opengrep", "trivy", "gitleaks"],
    "rule_sets": {
      "opengrep": "default",
      "trivy": "default",
      "gitleaks": "default"
    }
  }'

Excluding Specific Assets

Exclude specific assets from scheduled scans without deactivating them entirely:

curl -X PUT https://mayoaspm.com/api/v1/assets/{asset_id}/schedule \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "scheduled_scan_enabled": false
  }'

Viewing Scheduled Scan History

Retrieve the history of scheduled scan runs:

curl https://mayoaspm.com/api/v1/org/scheduled-scans \
  -H "Authorization: Bearer YOUR_API_KEY"

Response:

{
  "runs": [
    {
      "id": "run_20260415",
      "started_at": "2026-04-15T03:00:00Z",
      "completed_at": "2026-04-15T04:47:12Z",
      "status": "completed",
      "assets_scanned": 39,
      "total_scans": 117,
      "new_findings": 12,
      "failed_scans": 0
    }
  ]
}

Monitoring Scheduled Scans

Dashboard

The Mayo ASPM dashboard displays scheduled scan metrics including:

  • Last scheduled scan — When the most recent nightly pipeline completed
  • Assets scanned — How many assets were included in the last run
  • New findings — Findings discovered in the most recent scheduled scan
  • Trend charts — Findings over time, broken down by severity

Notifications

After each nightly scan pipeline completes, Mayo ASPM can notify you via:

  • Email digest — A summary of new findings from the nightly scan
  • Dashboard banner — A notification banner on the Mayo ASPM dashboard

Scheduled Scan Results

Findings from scheduled scans are treated identically to findings from ad-hoc scans:

  • They appear on the Findings page with full filtering and triage capabilities
  • They are deduplicated against existing findings using fingerprint matching
  • OPA policies are evaluated against new findings for automatic triage
  • The scan record appears in the asset's Scan History

The key difference is that scheduled scans automatically cover your entire active asset inventory, ensuring nothing is missed.

Troubleshooting

Scans Not Running

If scheduled scans are not executing:

  1. Verify your assets are set to Active status
  2. Check that you have a valid API key configured (if using API-based configuration)
  3. Confirm your organization's plan supports scheduled scans
  4. Check the Scan Queue for capacity issues

Missing Assets in Scheduled Scans

If certain assets are not being scanned:

  1. Verify the asset's Active toggle is enabled
  2. Check if the asset has been excluded via the API
  3. For integration assets, verify the GitHub App still has access to the repository

Delayed Results

If scheduled scan results appear later than expected:

  • Large organizations with many assets may see the pipeline run for several hours
  • Check the Scan Queue page for any stuck or long-running scans
  • Verify no failed scans are consuming retry attempts

Next Steps