---
url: /en/security/quickstart.md
description: >
  Get started quickly with CNB code security scanning, including minimal
  configuration, scan scope adjustment, disabling scan capabilities, and
  splitting configuration with include.
---
This guide walks you through the following configuration:

1. Create `.cnb/security/code_scan_config.yml`.
2. Use `.scanignore` to exclude paths that do not need to be scanned.
3. Disable a scan capability as needed, or split configuration with `include`.

## Step 1: Create the configuration file

Add `.cnb/security/code_scan_config.yml` to the repository and let multiple scan capabilities share one `.scanignore`:

```yaml title=".cnb/security/code_scan_config.yml"
secrets:
  scan:
    ignoreFrom: .scanignore
software-composition-analysis:
  scan:
    ignoreFrom: .scanignore
```

Undeclared capabilities use platform defaults. If this file is not provided, the platform also uses the built-in
default configuration and scanning continues as usual.

## Step 2: Add an ignore file

Add `.scanignore` to the repository root and declare paths that do not need to be scanned, using gitignore syntax:

```text title=".scanignore"
# Repository root path
/go.mod

# Third-party code
vendor/
node_modules/

# Test fixtures
**/testdata/**

# Build artifacts
dist/
build/
```

Once `ignoreFrom` is explicitly declared, the target file must exist. If the file does not exist, configuration loading
fails.

## Step 3: Adjust configuration as needed

### Disable a scan capability

Point the corresponding capability's `ignoreFrom` to a file whose content is `**`, and that capability skips all paths.
For example, to disable only `secrets`:

```yaml title=".cnb/security/code_scan_config.yml"
secrets:
  scan:
    ignoreFrom: .scanignore-disabled # points to a ** file, so secrets skips all paths
```

```text title=".scanignore-disabled"
**
```

### Split configuration

When the configuration becomes long, you can split it into separate subfiles. All include paths are resolved
**relative to the repository root**:

```yaml title=".cnb/security/code_scan_config.yml"
include:
  - .cnb/security/checks/secrets.yml
  - .cnb/security/checks/sca.yml
```

```yaml title=".cnb/security/checks/secrets.yml"
secrets:
  scan:
    ignoreFrom: .scanignore
```

```yaml title=".cnb/security/checks/sca.yml"
software-composition-analysis:
  scan:
    ignoreFrom: .scanignore
    paths:
      # Even if .scanignore excludes vendor, this negation rule forces it back into scanning
      - "!third_party/our-fork/**"
```

:::: warning Note
include paths must be relative to the repository root. URLs and cross-repository references are not supported.
Include files are parsed recursively, with at most 50 files parsed in a single run. For details, see
[Configuration file](./config-file.md).
::::

## Next steps

* [Configuration file](./config-file.md) — include details and merge rules
* [Syntax reference](./syntax-reference.md) — complete field reference
