Getting Started with Mayo ASPM¶
This guide walks you through the complete onboarding journey — from creating your account to interpreting your first scan results. By the end, you will have a connected GitHub organization, a completed scan, and a clear understanding of how Mayo ASPM fits into your security workflow.
What you will learn¶
| Step | What happens | Time |
|---|---|---|
| 1. Account setup | Create your account, verify email, set up your organization, choose a tier | ~3 min |
| 2. Connect GitHub | Install the GitHub App, grant repository access, watch repos sync | ~2 min |
| 3. First scan | Trigger an ad-hoc scan, choose a scanner, select a branch | ~3 min |
| 4. Understanding results | Read findings, interpret severity, navigate to code, plan remediation | ~5 min |
| 5. Key concepts | Learn the data model — organizations, assets, findings, projects, policies | Reference |
Total time: under 15 minutes
Steps 1 through 4 take most teams less than 10 minutes. Step 5 is a reference you can return to any time.
Prerequisites¶
You do not need to install any software, configure any servers, or write any YAML. All you need is:
| Requirement | Details |
|---|---|
| A modern web browser | Chrome, Firefox, Edge, or Safari — latest two major versions. |
| A GitHub account | Personal account or organization. Mayo ASPM connects via a GitHub App — it does not need your password or personal access token. |
| Repositories to scan | At least one repository with source code. Public or private — both work. |
No GitHub yet?
If your code lives outside GitHub today, you can still use Mayo ASPM by adding public repositories manually via URL. See Adding Public Repos for instructions.
The onboarding journey¶
Here is the big picture of what you are about to do:
Sign Up ──> Verify Email ──> Create Organization
│
Install GitHub App
│
Repositories sync
│
Trigger your first scan
│
Review findings
│
Enable PR scanning (optional)
Each step builds on the previous one, but you can return to any step later. Nothing is permanent — you can add more repositories, change scanners, or adjust policies at any time.
Step 1: Create your account¶
Head to mayoaspm.com and sign up with your email address. You will create an organization — the top-level container for all your assets, findings, and team members.
:material-arrow-right: Full instructions: Account Setup
Step 2: Connect GitHub¶
Install the Mayo ASPM GitHub App on your GitHub organization (or personal account). Select which repositories you want Mayo ASPM to monitor. Repositories appear as assets in the platform within seconds.
:material-arrow-right: Full instructions: Connect GitHub
Step 3: Run your first scan¶
Navigate to any asset, click Scan, choose a scanner (Semgrep is a great default), and hit Start. The scan typically completes in under a minute for small-to-medium repositories.
:material-arrow-right: Full instructions: Your First Scan
Step 4: Understand the results¶
Once the scan completes, findings appear on the asset's Findings tab. Each finding includes a severity level, file path, line number, code snippet, and (when available) CWE or CVE identifiers. Learn how to read and act on them.
:material-arrow-right: Full instructions: Understanding Results
Step 5: Learn the key concepts¶
Mayo ASPM has a small but important set of concepts — organizations, assets, findings, projects, policies, and integrations. Understanding how they relate makes everything else click.
:material-arrow-right: Full instructions: Key Concepts
What comes after onboarding?¶
Once you have completed the getting-started journey, the most impactful next steps are:
- Enable PR scanning — automatically scan every pull request and leave comments on new vulnerabilities. See PR Scanning.
- Write triage policies — use OPA/Rego to auto-classify findings by severity, ownership, or project. See OPA Policies.
- Connect Jira — generate tickets from findings so remediation enters your sprint backlog. See Jira Integration.
- Schedule nightly scans — keep your security posture current without manual effort. See Scheduled Scans.
- Explore the API — automate anything. See API Reference.
You can do these in any order
There is no required sequence after onboarding. Pick the feature that solves your most pressing problem and start there.
Ready? Let's begin with Account Setup.