Integrating Xygeni into your Workflow
Last updated
Last updated
Xygeni provides two main facilities for monitoring your build & deployment systems: a Scanner that runs on demand or when a certain event occurs, and connects to the target system for analysis. As well as a Sensor that is installed in the target system and notifies the Xygeni Platform when events of interest occur.
The following are the most common scenarios:
You may run a scan from the command line to analyze any local software project, a software repository, or a container image. The scanner discovers the assets and performs static analysis on the source code, package metadata and configurations.
The scanner runs scan steps aiming at each potential security issue class, and generates reports that can be uploaded to the platform.
To quickly access the Xygeni scanner after installation, execute the following command in the terminal:
Integrating the scanner within a CI/CD pipeline offers a proactive approach, enabling the early detection of potential issues during the build and development process. This ensures problems are addressed promptly.
Under Continuous Integration / Continuous Delivery, an event on the source code repository often triggers a pipeline or workflow that builds, tests and performs different checks on the sources and the artifacts built. A Xygeni scan is an essential check, ensuring continuous monitoring of security issues that may compromise the software supply chain.
For streamlined integration, Xygeni provides facilities for integration into build pipelines for the primary CI/CD systems.
The Xygeni scanner could be run at client-side, before a commit is applied, by adding a pre-commit
git hook.
If you have control over git hooks at your git server, you may add a pre-receive
hook at server side, so a push may be rejected if the scanner finds critical security issues.
Two common use cases for such hooks are: avoiding secret leaks committed to sources and critical file modifications not following a required change protocol.
Unusual activity may indicate either a running attack or a sloppy change in the security configuration that opens the door to bad actors. To capture the activity as it happens in the software build & deploy systems, Xygeni provides a collection of plugins ("Sensors") that, once installed in the target systems, notifies to the platform the events of interest for correlation and identification of anomalies.
Live notifications for high severity alerts are provided to the user, allowing them to take immediate action to mitigate the risk and prevent further damage.
Xygeni prioritization and response can also be used with security findings reported by other (open-source and commercial) third-party security tools.
The scanner provides a report-upload
command for uploading the structured reports generated by third-party security tools, in areas like Static Application Security Testing (SAST), Software Composition Analysis (SCA), or Secret Leaks / IaC Flaws Detection.
In your CI/CD pipelines you may have a step where another SAST tool is launched to uncover vulnerabilities in your source code or configurations. The output of the tool could be ingested by Xygeni to normalize the findings, and then use the findings for prioritization and remediation.
The workflow accommodates findings from Xygeni scans and your preferred third-party tool, as long as its output format is supported.
The exit code from the scanner can be used to stop the build if the issues found are deemed critical enough, acting as a "".
See the for further details on how to install and run the scans.
See the section for full details.
Xygeni can automatically add a pipeline to run the scanner. Please visit for further information.
For full details, read .
To know how the sensors work and how to install them in the target systems, read .
Visit to view the full list of external scanners and formats supported.
For details on how to upload the results from a third-party scanner using the report-upload
command, please read the .