Designing a Vulnerability Management Program and Self-Hosted DefectDojo Setup for a 600-Repo SaaS Scale-Up

Hi all, I've recently started working at a scale-up SaaS company. I'm the only security engineer. I want to design a vulnerability management program and set up a self-hosted DefectDojo. The company has 600 repositories. Since vulnerability management hasn't been done before, I don't have any data. Because of this, I'm very confused. I need to determine a scanning strategy and identify the system requirements for DefectDojo. What's the best way to do this?