Quick start with Xygeni CLI

A Scan is the action performed by the Xygeni Scanner to find security issues over your project.

You can follow below steps for a quick start using Xygeni CLI

1. Install the Scanner CLI

An installation script is provided for automated installation.

For manual installation, the scanner can be downloaded from https://get.xygeni.io/latest/scanner/xygeni-release.zip, or using the https://apidev.xygeni.io/scan/releases GET API endpoint, unzipped, and configured by setting credentials and proxy, if any.

The recommended, automated way to install the scanner is to use the installation script.

The Xygeni installation script is provided by Xygeni as a way to speed up your xygeni experience by setting your scanning environment as fast as possible.

Download the script

Run the one of the following which better matches your preferences:

  curl -sLO https://get.xygeni.io/latest/scanner/install.sh

 iwr https://get.xygeni.io/latest/scanner/install.ps1 -useb -OutFile install.ps1

2. Fetch your Xygeni account credentials or API token

Active Xygeni account credentials are mandatory to run the script, so make sure you’ve signed up first!

An Access Token (also known as 'api token' or 'api key') is used by clients, like the Xygeni Scanner or integrations to access the Xygeni platform API.

To create a token in the Xygeni Dashboard, go to the Settings >>Administration >> Security tab, then click on the Generate new token button. Go to Generate Token for Scanner and API client for further details.

Describe what the token will be used for, choose the validity period, and select the permissions granted to the token. Click on the Generate button:

Each permission enables the client to invoke certain api endpoints. The scanner typically need permissions to upload the scan results.

The token is generated, as shown:

3. Run the installation script

In what follows, XYGENI_TOKEN names an environment variable holding the Xygeni API token that will be registered in the scanner configuration file for authentication with the service.

./install.sh -o -v -t $XYGENI_TOKEN

PS .\install.ps1 -o -verbose -t $Env:XYGENI_TOKEN

To get the options available, run ./install.sh --help or PS .\install.ps1 --help.

4. Run your first scan

In its simplest way, you need a file system folder with your project contents (this folder can be a clone of your repo or just a directory with the source code of your project).

Use cd /my/project to change the current directory and run xygeni scan command over the contents your project directory. All vulnerabilities identified are listed, including their path and fix guidance.

$ cd /my/project
$ xygeni scan

You can also use below commands:

# Assuming that $XYGENI_HOME in path or xygeni shortcut set
# Scan a directory
$ xygeni scan -n <your_project_name> --dir <path_to_analyze>

# Scan a repository
$ xygeni scan --repository <repo_url>

# Scan a container image
$ xygeni scan --repository <image>

# You may add --no-upload to the scan command if you want to test first 
# the results before uploading to Xygeni platform.

IMPORTANT: in case you want the scanner performs checks against your repository and organization (see CI/CD Misconfigurations Detection), ensure that you provide your SCM and/ or CI/ CD systems tokens to the scanner.

Usually, the preferred option it to pass the token in an environment variable (like GITHUB_TOKEN or GITLAB_TOKEN).

See SCM and CI/ CD tokens to know more about this topic.

See Xygeni Scanner Reference for the full scanner command-line reference.

5. View the scan results

After log into the Xygeni Dashboard, the Security Posture Summary screen as the entry point.

Go to Xygeni Web UI for a guide to browse the Xygeni Web UI.

PreviousQuick start with your code repository NextQuick start with preloaded project

Last updated 1 month ago