Gitea Actions Integration

Introduction

Xygeni provides a xygeni-action for downloading and running the scanner on the repository.

The following configuration examples show how to install & run the scanner using an API Token stored as a secret named XYGENI_TOKEN. See Generate Xygeni API Token for Scanner or ask your Xygeni administrator to generate it.

Usage

The xygeni-action action downloads, configures and executes the Xygeni Scanner on the repository where the action is invoked.

Setting API token as encrypted secret in Gitea

The scanner needs an API token to communicate with the Xygeni platform. Such API token is a secret that could be registered safely at the appropriate scope (organization, repository or environment)

For example, to register the API token as a secret named XYGENI_TOKEN, for repository in the current working directory.

Add a step calling the action

In a Gitea workflow (.gitea/workflows/*.yml) the Xygeni scanner could be run on the repository files, typically after actions/checkout to retrieve the branch sources.

You can configure a simple Gitea action with this workflow:

name: Xygeni Scan
on:
  workflow_dispatch:

jobs:
  xygeni-scan:
    name: Xygeni Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
        with:
          repository: {ORG}/{REPO}
          token: ${{ secrets.GITEA_TOKEN }}

      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'

      - name: Xygeni-Scanner
        uses: xygeni/[email protected]
        with:
          xygeni_url: https://api.xygeni.io/
          token: ${{ secrets.XYGENI_TOKEN }}
          gh_token: ${{ secrets.GITEA_TOKEN }}

Where XYGENI_TOKEN is the name of the encrypted secret where the API token was saved. By default this action runs manually on: workflow_dispatch.

Parameters

The available parameters for the action are:

Parameter

Description

Mandatory

Default value

xygeni_url

Base URL of the Xygeni API.

https://api.xygeni.com

gitea_token

Gitea token to retrieve repository information for misconfigurations and compliance.

${GITEA_TOKEN}

directory

Directory to analyze

${{ github.workspace }}

token

API token

username

Xygeni account’s username. Not recommended, use token instead.

password

Xygeni account’s password. Not recommended, use token instead.

command

Command to execute by the scanner

scan --never-fail -n ${{ github.repository }} -d /app

Use --never-fail to avoid breaking the build if the scan finds issues or fails. You may also use --fail_on=critical to terminate the build only when critical issues are found.

Use --run=secrets,iac if you want to scan only for secrets and IaC flaws, for example.

Example for scanning only hard-coded secrets and IaC flaws detectors, and failing the build only when critical issues are found:

  - name: Xygeni-Scanner
    uses: xygeni/[email protected]
    id: Xygeni-Scanner
    with:
      token: ${{ secrets.XYGENI_TOKEN }}
      command: >-
         scan -n ${{ gitea.repository }} -d ${{ gitea.repository }}
              --run=secrets,iac --fail-on=critical

You may use pinned versions for the action, using the immutable commit SHA instead of version numbers, as specified in Pin actions to full length commit SHA.

PreviousTravis CI Integration NextGit Hooks with Xygeni

Last updated 1 day ago