Compliance Scanner

Appearance

Configuration

Compliance Scanner is configured through environment variables. Copy .env.example to .env and edit the values.

Required Settings

MongoDB

bash
MONGODB_URI=mongodb://root:example@localhost:27017/compliance_scanner?authSource=admin
MONGODB_DATABASE=compliance_scanner

Agent

bash
AGENT_PORT=3001

Dashboard

bash
DASHBOARD_PORT=8080
AGENT_API_URL=http://localhost:3001

LLM Configuration

The AI features (chat, remediation suggestions) use LiteLLM as a proxy to various LLM providers:

bash
LITELLM_URL=http://localhost:4000
LITELLM_API_KEY=your-key
LITELLM_MODEL=gpt-4o
LITELLM_EMBED_MODEL=text-embedding-3-small

The embed model is used for the RAG/AI Chat feature to generate code embeddings.

Git Provider Tokens

GitHub

bash
GITHUB_TOKEN=ghp_xxxx
GITHUB_WEBHOOK_SECRET=your-webhook-secret

GitLab

bash
GITLAB_URL=https://gitlab.com
GITLAB_TOKEN=glpat-xxxx
GITLAB_WEBHOOK_SECRET=your-webhook-secret

Issue Tracker Integration

Jira

bash
JIRA_URL=https://your-org.atlassian.net
JIRA_EMAIL=user@example.com
JIRA_API_TOKEN=your-api-token
JIRA_PROJECT_KEY=SEC

When configured, new findings automatically create Jira issues in the specified project.

Scan Schedules

Cron expressions for automated scanning:

bash
# Scan every 6 hours
SCAN_SCHEDULE=0 0 */6 * * *

# Check for new CVEs daily at midnight
CVE_MONITOR_SCHEDULE=0 0 0 * * *

Search Engine

SearXNG is used for CVE enrichment and vulnerability research:

bash
SEARXNG_URL=http://localhost:8888

NVD API

An NVD API key increases rate limits for CVE lookups:

bash
NVD_API_KEY=your-nvd-api-key

Get a free key at https://nvd.nist.gov/developers/request-an-api-key.

MCP Server

The MCP server exposes compliance data to external LLMs via the Model Context Protocol. See MCP Server for full details.

bash
# Set MCP_PORT to enable HTTP transport (omit for stdio mode)
MCP_PORT=8090

The MCP server shares the MONGODB_URI and MONGODB_DATABASE variables with the rest of the platform.

Clone Path

Where the agent stores cloned repository files:

bash
GIT_CLONE_BASE_PATH=/tmp/compliance-scanner/repos

All Environment Variables

VariableRequiredDefaultDescription
MONGODB_URIYesMongoDB connection string
MONGODB_DATABASENocompliance_scannerDatabase name
AGENT_PORTNo3001Agent REST API port
DASHBOARD_PORTNo8080Dashboard web UI port
AGENT_API_URLNohttp://localhost:3001Agent URL for dashboard
LITELLM_URLNohttp://localhost:4000LiteLLM proxy URL
LITELLM_API_KEYNoLiteLLM API key
LITELLM_MODELNogpt-4oLLM model for analysis
LITELLM_EMBED_MODELNotext-embedding-3-smallEmbedding model for RAG
GITHUB_TOKENNoGitHub personal access token
GITHUB_WEBHOOK_SECRETNoGitHub webhook signing secret
GITLAB_URLNohttps://gitlab.comGitLab instance URL
GITLAB_TOKENNoGitLab access token
GITLAB_WEBHOOK_SECRETNoGitLab webhook signing secret
JIRA_URLNoJira instance URL
JIRA_EMAILNoJira account email
JIRA_API_TOKENNoJira API token
JIRA_PROJECT_KEYNoJira project key for issues
SEARXNG_URLNohttp://localhost:8888SearXNG instance URL
NVD_API_KEYNoNVD API key for CVE lookups
SCAN_SCHEDULENo0 0 */6 * * *Cron schedule for scans
CVE_MONITOR_SCHEDULENo0 0 0 * * *Cron schedule for CVE checks
GIT_CLONE_BASE_PATHNo/tmp/compliance-scanner/reposLocal clone directory
KEYCLOAK_URLNoKeycloak server URL
KEYCLOAK_REALMNoKeycloak realm name
KEYCLOAK_CLIENT_IDNoKeycloak client ID
REDIRECT_URINoOAuth callback URL
APP_URLNoApplication root URL
OTEL_EXPORTER_OTLP_ENDPOINTNoOTLP collector endpoint
OTEL_SERVICE_NAMENoOpenTelemetry service name
MCP_PORTNoMCP HTTP transport port (omit for stdio)

Compliance Scanner Documentation