Support

Troubleshooting common issues

The following contains instructions for handling common issues reported on the Xygeni platform.

Installation issues

Powershell Execution Policy

Q: When running the installation script under Windows, does Powershell complain because its configuration does not allow running scripts?

PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.

In this case you probably want to set an Execution Policy of RemoteSigned. Open your Powershell terminal and run:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

For more information, visit

Scanner issues

The scanner terminates with error

Q: The scanner ends with a message Error [_CODE_] and sends me here. What can I do?

There was a non-recoverable error in the scan. This can happen due to different causes: invalid arguments, error during setting up the scanner, post-processing error, error while generating output, or simply a generic fatal error.

There was a non-recoverable error in the scan. This can happen due to different causes: invalid arguments, error during setting up the scanner, post-processing error, error while generating output, or simply a generic fatal error.

NOTE: The --never-fail forces the scanner to end with a zero error code, even with fatal error. This could be useful to avoid a scan error to break the build or pipeline where the scanner is invoked.

How to change the scanner logging level ?

Q: The scanner is not working appropriately. How can I increase the logging level for troubleshooting?

The scanner logs its actions at two targets: console (which prints the output to the system console) and logfile (which is sent to the platform for troubleshooting).

The logging levels are, in increasing order of verbosity: FATAL, ERROR, WARN, INFO, DEBUG and TRACE. Two special levels are OFF (disable logging) and ALL (same as TRACE). The default logging levels are WARN for the console and INFO for the logfile.

These default levels work well under normal circumstances, but if you experience errors or misbehaviors while scanning a given software, you may want to increase the logging level.

You may use the -v|--verbose option, which sets DEBUG level for both targets, or the -q|--quiet option, which sets the level to ERROR for the console only, keeping the default for the logfile.

If you want to configure the default levels to use by the scanner, for example setting ERROR for the console and WARN for the logfile, you may edit the conf/log4j2.yml file:

    Console:
      ThresholdFilter:
        #level: "${ctx:console_level:-WARN}"
        level: "${ctx:console_level:-ERROR}"
        # ...
    File:
      ThresholdFilter:
        #level: "${ctx:file_level:-INFO}"
        level: "${ctx:file_level:-WARN}"

How to create and register a central configuration

Q: We need to run the scanner at different places, typically on ephemeral containers. How can we define a central shared configuration so that each scanner run will use that configuration?

Remember that the central configuration is the set of scanner's configuration files, which includes things like include/exclude patterns, scanner authentication to the service api, proxy settings, and configuration for each scan type. Each detector / standard is customized by the organization's [Xygeni Policy], which

First, create your configuration by editing the configuration files (they are YAML files with comments that help with the process).

Then run the scanner's conf-upload command, which will upload the configuration files to the Xygeni service. The scanner will then automatically download the configuration (unless instructed not to do so).

At any time you may call the conf-update to download the central configuration, but keeping existing authentication credentials from local configuration. You may change configuration and re-run conf-upload again.

How to encrypt sensitive data in scanner configuration

Q: I pasted my Xygeni account credentials / API token / proxy credentials in the xygeni.yml configuration file. How can I encrypt this to not leak the credentials?

$ xygeni util encrypt

Integrations issues

API token expired

Q: The scanner or API endpoint fails with an "API token expired" message.