Customizations

Organizations may need to customize the Xygeni platform to meet their specific needs. Although Xygeni is designed to provide useful, actionable findings on the security posture against software supply chain attacks from the very start, Xygeni also provides a rich REST API and a set of development tools for special customizations.

There is a public GitHub repository, Xygeni Extensions, that contains full documentation and sample sources for different extensions of the Xygeni platform. In this repository you will find detailed instructions and how-to guides for developing custom detectors, sample code and project build templates.

API

The REST API allows retrieval of security issues, project risk summary, trends in security position, and report generation, plus administration. You may use the API to integrate the security findings into your own tools and systems, or into your pipelines.

Custom Detectors

A Xygeni detector is a piece of logic that detects a security issue in a scanned target system such as source code, a source code repository or a container image, a CI/CD system or another software too. Xygeni provides a rich set of predefined, off-the-self detectors used in scans, but you may add your own custom detectors.

Xygeni provides a comprehensive development framework for custom detectors, and such custom detectors can be easily integrated into scans using the --custom-detectors-dir option.

For full information, read Developing and Deploying Custom Detectors.

Defining custom converters for third-party tool reports

If you need to upload a report from a third-party security tool, and the report format is not supported by Xygeni, you may develop your own extension for loading the input report and converting it to one of the available Xygeni reports.

Xygeni provides a framework for developing customized report converters and registering them so they are available in the report-upload scanner command.

For further details, read Adding Support For Additional Report Formats.

In other cases, third-party tools do not provide a standardized report to be ingested. For some popular tools an export mechanism (often using the tool api) is provided. See Exporting Reports from Third-Party Tools for more details.