GitHub Actions Integration
Introduction
GitHub Actions is a platform for continuous integration in GitHub repositories. An action encodes a reusable task with configurable parameters.
Xygeni provides a xygeni-action
for downloading and running the scanner on the repository.
Usage
The xygeni-action
action downloads, configures and executes the Xygeni Scanner on the repository where the action is invoked.
Setting API token as encrypted secret in GitHub
The scanner needs an API token to communicate with the Xygeni platform. Such API token is a secret that could be registered safely at the appropriate scope (organization, repository or environment) using GitHub Encrypted Secrets.

For example, to register the API token as a secret named XYGENI_TOKEN
, for repository in the current working directory. you may use the GitHub gh
command:
# The command will prompt you to enter the secret value
gh secret set XYGENI_TOKEN
# Alternatively you may read the value of the API token from a local file
gh secret set XYGENI_TOKEN < /path/to/xygeni_token.txt
(You must be the repository owner for creating repository secrets.)
For creating encryption secret at environment scope in a personal account repository (you need to be the repository owner), add --env ENV_NAME
:
# Set the secret available to private repositories only
gh secret set --env ENV_NAME XYGENI_TOKEN
For creating encryption secret at organization scope (so the secret is available to all or a subset of the organization repositories), add --org ORG_NAME
:
# GitHub CLI does not have admin:org permission by default
gh auth login --scopes "admin:org"
# Set the secret available to private repositories only
gh secret set --org ORG_NAME XYGENI_TOKEN
# Or set the secret available to all organization repositories
gh secret set --org ORG_NAME XYGENI_TOKEN --visibility all
# Or limit visibility of the secret to the selected repos
gh secret set --org ORG_NAME XYGENI_TOKEN --visibility all
You may use the corresponding GitHub webpages for setting the api token as a secret named XYGENI_TOKEN
at the appropriate scope.
Add a step calling the action
In a GitHub workflow (.github/workflows/*.yml
) the Xygeni scanner could be run on the repository files, typically after actions/checkout
to retrieve the branch sources. The GITHUB_WORKSPACE
environment variable will contain the default location of the repository when using the checkout action.
You can configure a GitHub action with the form:
on:
workflow_dispatch:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
jobs:
xygeni-scan:
runs-on: ubuntu-latest
name: xygeni-github-action
steps:
# Checkout the repository sources (GITHUB_WORKSPACE)
- name: Checkout
uses: actions/[email protected]
- name: Xygeni-Scanner
uses: xygeni/[email protected]
id: Xygeni-Scanner
with:
token: ${{ secrets.XYGENI_TOKEN }}
gh_token: ${{ secrets.GH_PAT }}
Where XYGENI_TOKEN
is the name of the encrypted secret where the API token was saved.
Parameters
Only the API token (or alternatively the username + password) is required.
The default values for some parameters can be changed. For example, you may specify a specific name for the project instead of the GitHub repository name,GITHUB_REPOSITORY
. Also, you may want to scan a particular source subdirectory instead of the default, por example ${{ github.repository }}/src
.
You can see more information about default GitHub environment variables here.
The available parameters for the action are:
gh_token
GitHub token to retrieve repository information for misconfigurations and compliance.
No
${GITHUB_TOKEN}
directory
Directory to analyze
No
${{ github.workspace }}
token
API token
No
username
Xygeni account’s username. Not recommended, use token instead.
No
password
Xygeni account’s password. Not recommended, use token instead.
No
command
Command to execute by the scanner
No
scan --never-fail -n ${{ github.repository }} -d /app
Example for scanning only hard-coded secrets and IaC flaws detectors, and failing the build only when critical issues are found:
- name: Xygeni-Scanner
uses: xygeni/[email protected]
id: Xygeni-Scanner
with:
token: ${{ secrets.XYGENI_TOKEN }}
command: >-
scan -n ${{ github.repository }} -d ${{ github.repository }}
--run=secrets,iac --fail-on=critical
Last updated