Xygeni User Guides
  • Welcome to Xygeni
  • Getting Started
    • Create a Free Trial Account
    • Quick start with your code repository
    • Quick start with Xygeni CLI
    • Quick start with a preloaded project
    • Log in to Xygeni
    • Subscribe to Xygeni
  • Introduction to Xygeni
    • Key Concepts
      • Projects in Xygeni
      • Project Baseline
      • Detected Issues
      • Remediation Actions
      • Policies
      • Risk Level
      • SDLC Inventory
      • Standards Compliance
      • GuardRails
    • Xygeni Products
    • How Xygeni works
    • Xygeni Web UI Overview
      • Projects Screen
        • Risk Level
    • Integrating Xygeni into your Workflow
    • Prioritization Funnels
      • Custom Funnels
      • Prioritization Criteria (Stages)
        • Reachability
        • Exploitability
        • Fixable
    • Guardrails
    • Generate a SBOM
    • Reports
      • Trends
      • Scan History
    • Supported Integrations
    • Customizations
  • Xygeni Products
    • Application Security Posture Management (ASPM)
      • ASPM User Interface Guide
      • Projects
      • All Risks
        • Statistics
        • Issues Evolution
        • Issue Comparison Between Different Scans
      • Governance
      • Inventory
        • All Assets
        • Repositories
        • Components
        • CI/CD Assets
        • Delivery Assets
        • Systems & Tools
        • Collaborators
      • Health Check
      • Inventory Scanner
        • Inventory Scanner Configuration
        • Inventory Collaborators Scan
      • Importing reports from 3rd party tools
        • External Scanners Supported
          • Report upload for Kiuwan
            • ExportRule (.java)
    • Code Security (SAST)
      • Code Security (SAST) User Interface Guide
        • Risks (SAST)
        • Malicious Code
      • Malware Scanner
        • Malware Scanner Configuration
        • Malware Detectors
      • SAST Scanner
        • SAST Scanner Configuration
    • Open Source (SCA)
      • Open Source (SCA) User Interface Guide
      • Open Source Components
      • Supported Package Managers for dependency resolution
      • Risks (SCA)
      • OSS Prioritization Funnels
      • OSS Auto-Remediation
      • Malware Early Warning (MEW)
        • How Malware Early Warning works
        • Common types of Malware found in open source packages
      • Dependency Scanner
        • Dependency scanner configuration
        • Dependency Analyzers
      • Suspect Dependencies Scanner
        • Suspect Deps Scanner Configuration
        • Suspect Deps Detectors
    • CI/CD Security
      • CI/CD Security User Interface Guide
      • CI/CD Details
      • Build Attestations
      • CI/CD Scanner
        • CI/CD Misconfigurations Scanner Configuration
      • Compliance Scanner
        • Supported compliance standards
    • Secrets Security
      • Secrets User Interface Guide
      • Secrets Scanner
        • Secrets scanner configuration
      • Secret Leaks Handling
        • Secret Leaks Handling
        • How to Prevent Hard-Coded Secrets
        • Secret Leaks Handling CheatSheet
      • Secrets Auto-Remediation
    • IaC Security
      • IaC User Interface Guide
      • IaC Scanner
        • IaC Scanner Configuration
    • Malware
    • Build Security
      • Build Security Concepts
      • Build Attestations
      • Attestation format
      • How SALT works
      • Installing Salt CLI
      • Salt Command-Line Reference
      • SALT Architecture
      • SALT How To…​
    • Anomalous Activity Detection
      • Anomalous Activity Detection User Interface Guide
      • Xygeni Sensors
        • Xygeni Sensor for Azure
        • Xygeni Sensor for BitBucket
        • Xygeni Sensor for GitHub
          • GitHub Audit Log Processing
        • Xygeni Sensor for GitLab
        • Xygeni Sensor for Jenkins
        • Anomaly Detection's Detectors
      • Code Tampering Scanner
        • Code Tampering Scanner Configuration
    • Compliance & Malware Insights
      • SSCS Compliance
      • Malicious Packages DB
  • Scan Management
    • Manage Scans
      • Manage Scans FAQ
    • Scan History
  • Xygeni Scanner CLI
    • Xygeni Scanners
    • Xygeni CLI Overview
      • Xygeni CLI Prerequisites
      • Xygeni CLI Installation
      • Xygeni CLI Docker Image
      • Xygeni CLI Authentication
        • CLI Authentication with Xygeni
      • SCM, CI/ CD and Container Registry tokens
      • Xygeni CLI Operation Modes
        • Single scan
          • Scanning a docker image
        • Multi Scan
        • Organization scan
      • Xygeni CLI Configuration options
      • Xygeni CLI Output Formats
      • Exporting Xygeni results to 3rd party tools
      • Automatic Remediation
      • Generate SBOM with the Xygeni CLI
      • CLI utils
        • Credentials Encryption
        • Central Configuration
      • Xygeni Guardrails
        • CI/CD Audit Analysis
      • Xygeni CLI Error Codes
      • Xygeni Scanner Reference
  • Xygeni Administration
    • Platform Administration
      • Profile
      • Subscription
      • Users Management
      • Projects Management
      • Groups Management
      • Policies
      • Integrations
        • Xygeni Single Sign-On (SSO) Authentication
          • SSO - OKTA
          • SSO - Microsoft Entra ID
        • Integrate Scanner CLI into CI/CD Systems
          • Azure Pipelines Integration
          • BitBucket Integration
          • CircleCI Integration
          • GitHub Actions Integration
          • GitLab Runner Integration
          • Jenkins Integration
          • Travis CI Integration
        • Git Hooks with Xygeni
        • Collaboration & communication Tools
        • Ticketing Systems
        • Remediation systems
      • Notifications
    • Rest API
  • Support
  • Changelog
    • Version 5.11 - April 11, 2025
    • Version 5.9 – March 26, 2025
Powered by GitBook
On this page
  • Introduction
  • Usage
Export as PDF
  1. Xygeni Administration
  2. Platform Administration
  3. Integrations
  4. Integrate Scanner CLI into CI/CD Systems

GitHub Actions Integration

PreviousCircleCI IntegrationNextGitLab Runner Integration

Last updated 7 months ago

Introduction

is a platform for continuous integration in GitHub repositories. An action encodes a reusable task with configurable parameters.

Xygeni provides a xygeni-action for downloading and running the scanner on the repository.

The following configuration examples show how to install & run the scanner using an API Token stored as a secret named XYGENI_TOKEN. See or ask your Xygeni administrator to generate it.

Usage

The xygeni-action action downloads, configures and executes the Xygeni Scanner on the repository where the action is invoked.

Setting API token as encrypted secret in GitHub

The scanner needs an API token to communicate with the Xygeni platform. Such API token is a secret that could be registered safely at the appropriate scope (organization, repository or environment) using .

For example, to register the API token as a secret named XYGENI_TOKEN, for repository in the current working directory. you may use the GitHub gh command:

# The command will prompt you to enter the secret value
gh secret set XYGENI_TOKEN

# Alternatively you may read the value of the API token from a local file
gh secret set XYGENI_TOKEN < /path/to/xygeni_token.txt

(You must be the repository owner for creating repository secrets.)

For creating encryption secret at environment scope in a personal account repository (you need to be the repository owner), add --env ENV_NAME:

# Set the secret available to private repositories only
gh secret set --env ENV_NAME XYGENI_TOKEN

For creating encryption secret at organization scope (so the secret is available to all or a subset of the organization repositories), add --org ORG_NAME:

# GitHub CLI does not have admin:org permission by default
gh auth login --scopes "admin:org"

# Set the secret available to private repositories only
gh secret set --org ORG_NAME XYGENI_TOKEN

# Or set the secret available to all organization repositories
gh secret set --org ORG_NAME XYGENI_TOKEN --visibility all

# Or limit visibility of the secret to the selected repos
gh secret set --org ORG_NAME XYGENI_TOKEN --visibility all

You may use the corresponding GitHub webpages for setting the api token as a secret named XYGENI_TOKEN at the appropriate scope.

Add a step calling the action

In a GitHub workflow (.github/workflows/*.yml) the Xygeni scanner could be run on the repository files, typically after actions/checkout to retrieve the branch sources. The GITHUB_WORKSPACE environment variable will contain the default location of the repository when using the checkout action.

You can configure a GitHub action with the form:

on:
  workflow_dispatch:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]

jobs:
  xygeni-scan:
    runs-on: ubuntu-latest
    name: xygeni-github-action
    steps:
      # Checkout the repository sources (GITHUB_WORKSPACE)
      - name: Checkout
        uses: actions/checkout@v3.1.0

      - name: Xygeni-Scanner
        uses: xygeni/xygeni-action@3.2.0
        id: Xygeni-Scanner
        with:
          token: ${{ secrets.XYGENI_TOKEN }}
          gh_token: ${{ secrets.GH_PAT }}

Where XYGENI_TOKEN is the name of the encrypted secret where the API token was saved.

Parameters

Only the API token (or alternatively the username + password) is required.

The default values for some parameters can be changed. For example, you may specify a specific name for the project instead of the GitHub repository name,GITHUB_REPOSITORY. Also, you may want to scan a particular source subdirectory instead of the default, por example ${{ github.repository }}/src.

The available parameters for the action are:

Parameter
Description
Mandatory
Default value

xygeni_url

Base URL of the Xygeni API.

No

gh_token

GitHub token to retrieve repository information for misconfigurations and compliance.

No

${GITHUB_TOKEN}

directory

Directory to analyze

No

${{ github.workspace }}

token

API token

No

username

Xygeni account’s username. Not recommended, use token instead.

No

password

Xygeni account’s password. Not recommended, use token instead.

No

command

Command to execute by the scanner

No

scan --never-fail -n ${{ github.repository }} -d /app

Use --never-fail to avoid breaking the build if the scan finds issues or fails. You may also use --fail_on=critical to terminate the build only when critical issues are found.

Use --run=secrets,iac if you want to scan only for secrets and IaC flaws, for example.

Example for scanning only hard-coded secrets and IaC flaws detectors, and failing the build only when critical issues are found:

  - name: Xygeni-Scanner
    uses: xygeni/xygeni-action@v2.1
    id: Xygeni-Scanner
    with:
      token: ${{ secrets.XYGENI_TOKEN }}
      command: >-
         scan -n ${{ github.repository }} -d ${{ github.repository }}
              --run=secrets,iac --fail-on=critical

You can see more information about default GitHub environment variables .

You may use pinned versions for the action, using the immutable commit SHA instead of version numbers, as specified in .

here
Pin actions to full length commit SHA
https://api.xygeni.com
GitHub Actions
GitHub Encrypted Secrets
Generate Xygeni API Token for Scanner