Integrating Xygeni into your Workflow

Integration Scenarios

Xygeni provides two main facilities for monitoring your build & deployment systems: a Scanner that runs on demand or when a certain event occurs, and connects to the target system for analysis. As well as a Sensor that is installed in the target system and notifies the Xygeni Platform when events of interest occur.

The following are the most common scenarios:

Using the Scanner Command Line

You may run a scan from the command line to analyze any local software project, a software repository, or a container image. The scanner discovers the assets and performs static analysis on the source code, package metadata and configurations.

The scanner runs scan steps aiming at each potential security issue class, and generates reports that can be uploaded to the platform.

To quickly access the Xygeni scanner after installation, execute the following command in the terminal:

# Scan a directory with software
xygeni scan --dir PATH/TO/PROJECT

# Scan a software repository
xygeni scan --repository URL

# Scan a container image
xygeni scan --image IMAGE

The exit code from the scanner can be used to stop the build if the issues found are deemed critical enough, acting as a "security guardrail".

The command line interface is the most direct way for running the scanner. Besides the alternative integration mechanisms listed below, the scanner’s command line could be used directly in places like CI/CD pipelines, build scripts, git hook scripts, etc...

See the Xygeni Scanner for further details on how to install and run the scans.

Integrate the Scanner into a CI/CD Pipeline

Integrating the scanner within a CI/CD pipeline offers a proactive approach, enabling the early detection of potential issues during the build and development process. This ensures problems are addressed promptly.

Under Continuous Integration / Continuous Delivery, an event on the source code repository often triggers a pipeline or workflow that builds, tests and performs different checks on the sources and the artifacts built. A Xygeni scan is an essential check, ensuring continuous monitoring of security issues that may compromise the software supply chain.

For streamlined integration, Xygeni provides facilities for integration into build pipelines for the primary CI/CD systems.

See the Integrate into CI/CD Systems section for full details.

Xygeni can automatically add a pipeline to run the scanner. Please visit Managed Scans for further information.

Running the Scanner as a Gate in a Git Hook

The Xygeni scanner could be run at client-side, before a commit is applied, by adding a pre-commit git hook.

If you have control over git hooks at your git server, you may add a pre-receive hook at server side, so a push may be rejected if the scanner finds critical security issues.

Two common use cases for such hooks are: avoiding secret leaks committed to sources and critical file modifications not following a required change protocol.

For full details, read Git Hooks with Xygeni.

Using Sensors for Activity Monitoring

Unusual activity may indicate either a running attack or a sloppy change in the security configuration that opens the door to bad actors. To capture the activity as it happens in the software build & deploy systems, Xygeni provides a collection of plugins ("Sensors") that, once installed in the target systems, notifies to the platform the events of interest for correlation and identification of anomalies.

Live notifications for high severity alerts are provided to the user, allowing them to take immediate action to mitigate the risk and prevent further damage.

To know how the sensors work and how to install them in the target systems, read Integrate Xygeni Sensors.

Uploading Findings from External Security Tools

Xygeni prioritization and response can also be used with security findings reported by other (open-source and commercial) third-party security tools.

The scanner provides a report-upload command for uploading the structured reports generated by third-party security tools, in areas like Static Application Security Testing (SAST), Software Composition Analysis (SCA), or Secret Leaks / IaC Flaws Detection.

In your CI/CD pipelines you may have a step where another SAST tool is launched to uncover vulnerabilities in your source code or configurations. The output of the tool could be ingested by Xygeni to normalize the findings, and then use the findings for prioritization and remediation.

The workflow accommodates findings from Xygeni scans and your preferred third-party tool, as long as its output format is supported.

Visit external scanners supported to view the full list of external scanners and formats supported.

For details on how to upload the results from a third-party scanner using the report-upload command, please read the report-upload reference.

Last updated