Running Your First Scan¶
You have an account, an organization, and connected repositories. Now it is time to scan your code for vulnerabilities. This page walks you through triggering an ad-hoc scan — a one-time, on-demand scan that you start manually.
Step 1: Navigate to Assets¶
- In the Mayo ASPM dashboard, click Assets in the left sidebar.
- You will see a list of all repositories connected from GitHub.
- Click the repository you want to scan.
Pick a repository you know well
For your first scan, choose a repository whose code you are familiar with. This makes it easier to evaluate whether findings are real issues or false positives, and helps you learn how Mayo ASPM maps vulnerabilities to your code.
Step 2: Open the scan dialog¶
- On the asset detail page, click the Scan button in the top-right area.
- The New Scan dialog opens.
Step 3: Choose a scanner¶
Mayo ASPM supports multiple scanners, each with different strengths. The dialog presents the available scanners:
| Scanner | Best for | Languages / targets |
|---|---|---|
| Semgrep | Static analysis, custom rules, broad language support | Python, JavaScript, TypeScript, Go, Java, Ruby, C, and many more |
| Bandit | Python-specific security analysis | Python |
| Trivy | Dependency vulnerabilities and container scanning | All languages (scans lockfiles and manifests) |
| Gitleaks | Secret detection (API keys, tokens, passwords) | Language-agnostic (scans all text files) |
| Checkov | Infrastructure-as-code misconfigurations | Terraform, CloudFormation, Kubernetes YAML, Dockerfile |
Start with Semgrep
If you are not sure which scanner to pick, Semgrep is an excellent default. It covers the widest range of languages and vulnerability categories, and it runs fast.
Select a scanner by clicking its card.
Step 4: Configure scan options¶
After selecting a scanner, you can configure:
Branch¶
Choose which branch to scan. The default branch (usually main or master) is pre-selected. You can select any branch from the dropdown.
Why branch matters
Scanning your default branch gives you a baseline of your production code's security posture. Scanning a feature branch lets you evaluate changes before they merge.
Rules (optional)¶
Some scanners support rule selection:
- Semgrep — you can choose rule packs (e.g.,
p/security-audit,p/owasp-top-ten,p/secrets) or leave it on the default rule set. - Bandit — you can filter by confidence level (Low, Medium, High).
- Other scanners — use their default configuration, which covers the most common vulnerability patterns.
For your first scan, leave the defaults. You can experiment with custom rule sets later.
Scan name (optional)¶
You can give the scan a descriptive name like "Initial baseline scan" for easy identification in scan history. If left blank, Mayo ASPM generates a name with the scanner and timestamp.
Step 5: Start the scan¶
Click Start Scan. Here is what happens next:
You click Start Scan
│
▼
Scan job enters the queue
│
▼
Mayo ASPM clones the selected branch
│
▼
The chosen scanner runs against the code
│
▼
Results are parsed and normalized
│
▼
Findings are created/updated on the asset
│
▼
Scan status changes to "Completed"
What to expect during the scan¶
Scan states¶
| State | Meaning |
|---|---|
| Queued | The scan is waiting for an available scanner slot. Usually lasts a few seconds. |
| Running | The scanner is actively analyzing your code. |
| Completed | The scan finished successfully. Findings are available. |
| Failed | Something went wrong. Check the scan logs for details. |
How long does it take?¶
Scan duration depends on the repository size and the scanner:
| Repository size | Typical duration |
|---|---|
| Small (< 1,000 files) | 10 - 30 seconds |
| Medium (1,000 - 10,000 files) | 30 seconds - 2 minutes |
| Large (10,000+ files) | 2 - 5 minutes |
You do not need to wait
You can navigate away from the scan page. The scan runs in the background, and you can return to see results when it completes. The Scans page shows all running and completed scans.
Monitoring progress¶
While the scan runs, you can:
- Stay on the asset page and watch the status indicator update.
- Navigate to Scans in the left sidebar to see the scan queue with all active and completed scans.
- Click into a running scan to see real-time logs (available for most scanners).
Viewing results¶
When the scan completes:
- From the asset page: the Findings tab updates automatically with new findings. A badge shows the count.
- From the Scans page: click the completed scan row to see a summary — number of findings by severity, scan duration, and scanner details.
- From the Dashboard: the dashboard metrics update in real time to reflect the new findings.
The scan summary¶
The scan summary screen shows:
| Metric | Description |
|---|---|
| Total findings | How many unique vulnerabilities were found in this scan. |
| By severity | Breakdown into Critical, High, Medium, Low, and Info. |
| New findings | Findings that did not exist before this scan (genuinely new). |
| Existing findings | Findings that were already known from a previous scan (re-confirmed). |
| Fixed findings | Findings from a previous scan that no longer appear (the code was fixed). |
| Duration | How long the scan took from start to finish. |
Zero findings?
If the scan returns zero findings, that is a good sign — but it does not necessarily mean there are no vulnerabilities. It may mean the scanner's rule set does not cover the patterns in your code, or the code is genuinely clean. Try running a different scanner for broader coverage.
What if the scan fails?¶
Scan failures are uncommon but can happen. Common causes:
| Cause | Solution |
|---|---|
| Repository access revoked | Re-grant access to the repository in your GitHub App settings. |
| Branch not found | Ensure the branch you selected still exists in the repository. |
| Timeout | Very large repositories may exceed the scan time limit. Try scanning a specific directory or use a faster scanner. |
| Scanner error | Check the scan logs for the specific error message. Most are transient — retry the scan. |
To retry a failed scan, click the Retry button on the scan detail page.
Next steps¶
You have your first scan results. The next page explains how to read and interpret them.
:material-arrow-right: Next: Understanding Results