Gitea Actions Integration

Introduction

Xygeni provides a xygeni-action for downloading and running the scanner on the repository.

The following configuration examples show how to install & run the scanner using an API Token stored as a secret named XYGENI_TOKEN. See Generate Xygeni API Token for Scanner or ask your Xygeni administrator to generate it.

Usage

The xygeni-action action downloads, configures and executes the Xygeni Scanner on the repository where the action is invoked.

Setting API token as encrypted secret in Gitea

The scanner needs an API token to communicate with the Xygeni platform. Such API token is a secret that could be registered safely at the appropriate scope (organization, repository or environment)

For example, to register the API token as a secret named XYGENI_TOKEN, for repository in the current working directory.

Add a step calling the action

In a Gitea workflow (.gitea/workflows/*.yml) the Xygeni scanner could be run on the repository files, typically after actions/checkout to retrieve the branch sources.

You can configure a simple Gitea action with this workflow:

name: Xygeni Scan
on:
  workflow_dispatch:

jobs:
  xygeni-scan:
    name: Xygeni Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
        with:
          repository: {ORG}/{REPO}
          token: ${{ secrets.GITEA_TOKEN }}
          # The default depth of 1 commit is not enough for some scans
          fetch-depth: 0

      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'

      - name: Xygeni-Scanner
        uses: xygeni/[email protected]
        with:
          token: ${{ secrets.XYGENI_TOKEN }}
          gh_token: ${{ secrets.POWER_GITEA_TOKEN }}

Where XYGENI_TOKEN is the name of the encrypted secret where the API token was saved. By default this action runs manually on: workflow_dispatch.

Our scanner performs checks to recover information about your Gitea repository, as part of the scanning process to validate if there are misconfigurations affecting them.

See Required token permissions for further details.

Parameters

The Xygeni API token is required.

Parameter

Description

Mandatory

Default value

token

Xygeni API token

Yes

gh_token

Gitea token to retrieve repository information for misconfigurations and compliance.

GITEA_TOKEN

command

Command to execute by the scanner

scan --never-fail

xygeni_url

Base URL of the Xygeni API

https://api.xygeni.io

xygeni_dashboard_url

Base URL of the Xygeni Dashboard

https://in.xygeni.io/dashboard

Use --never-fail to avoid breaking the build if the scan finds issues or fails. You may also use --fail_on=critical to terminate the build only when critical issues are found.

Use --run=secrets,iac if you want to scan only for secrets and IaC flaws, for example.

If you want to analyze a subdirectory, you can configure the command with -d parameter. For example, use -d /app if the directory to scan is the app directory in your repository.

Example for scanning only hard-coded secrets and IaC flaws detectors, and failing the build only when critical issues are found:

  - name: Xygeni-Scanner
    uses: xygeni/[email protected]
    id: Xygeni-Scanner
    with:
      token: ${{ secrets.XYGENI_TOKEN }}
      # No specific Gitea token needed for secrets and IaC scans
      # gh_token: ${{ secrets.POWER_GITEA_TOKEN }}
      command: scan -n ${{ gitea.repository }} -d /app --run=secrets,iac --fail-on=critical

Note that for secrets and iac scans, the default GITEA_TOKEN has enough permissions.

See Xygeni scan command for full information on the command options available.

You may use pinned versions for the action, using the immutable commit SHA instead of version numbers, as specified in Pin actions to full length commit SHA.

PreviousTravis CI Integration NextCloudBees Integration

Last updated 4 days ago