> For the complete documentation index, see [llms.txt](https://docs.xygeni.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.xygeni.io/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/external-scanners-supported.md).
# External Scanners Supported
The `xygeni report-upload` command normalizes and uploads findings from third-party security tools to the Xygeni platform. The input reports are typically export formats (JSON, XML) and may follow common exchange formats like *Static Analysis Results Interchange Format* ([SARIF](https://sarifweb.azurewebsites.net/)) or GitLab’s [Security Report Schemas](https://gitlab.com/gitlab-org/security-products/security-report-schemas).
The following is the list of third-party security scanners and report formats supported. The list of supported formats can also be listed by running the *`report-upload --show-formats`* command within the Xygeni scanner. Formats and tools are listed in alphabetical order. Xygeni does not endorse any vendor or tool.
Go to the [report-upload command reference](/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools.md) for the command syntax, and to [Pull-mode fetch](/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/pull-mode-fetch.md) for the API-driven alternative to file uploads.
For per-category import walkthroughs (each with its own format table and pull-mode pointers), see:
* [SCA Report Import](/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/sca-report-import.md)
* [SAST Report Import](/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/sast-report-import.md)
* [IaC Flaws Report Import](/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/iac-report-import.md)
* [Secrets Report Import](/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/secrets-report-import.md)
* [DAST Report Import](/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/dast-report-import.md)
* [Inventory Report Import](/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/inventory-report-import.md)
### SCA (Software Composition Analysis)
| Format | Tool | Description |
| ------------------------- | ----------------------------- | --------------------------------------------------------------- |
| sca-sarif | \ | Component vulnerabilities detected by a SCA tool, SARIF format |
| sca-appscan-asoc | HCL AppScan on Cloud / 360 | AppScan on Cloud / 360 SCA report, in XML format |
| sca-checkmarx | Checkmarx SCA | CxSCA report, in JSON format |
| sca-checkmarx-one | Checkmarx One | SCA scanner of Checkmarx One, in JSON format |
| sca-checkmarx-one-results | Checkmarx One | SCA scanner of Checkmarx One, exported using 'cx results show' |
| sca-cyclonedx | \ | CycloneDX SBOM, in JSON or XML format |
| sca-snyk | Snyk | Snyk SCA report, in JSON format |
| sca-sonatype | Sonatype Lifecycle (Nexus IQ) | Sonatype Lifecycle Policy Evaluation Report, in JSON format |
| sca-sonatype-cir | Sonatype Lifecycle (Nexus IQ) | Sonatype Lifecycle Component Information Report, in JSON format |
| sca-spdx | \ | SPDX SBOM, in JSON or tag-value format |
| sca-trivy | Trivy | Trivy SCA report, in JSON format |
| sca-wiz-cli | Wiz CLI | Wiz CLI scan report (vulnerabilities), in JSON format |
| sca-wiz-cnapp | Wiz CNAPP | Wiz CNAPP vulnerability findings export, in JSON format |
### SAST (Software Application Security Testing)
| Format | Tool | Description |
| -------------------------- | -------------------------- | --------------------------------------------------------------------- |
| sast-sarif | \ | Code vulnerabilities detected by a SAST tool, in SARIF format |
| sast-appscan-xml | HCL AppScan Source | AppScan Source SAST report, in XML format (legacy referential format) |
| sast-appscan-asoc | HCL AppScan on Cloud / 360 | AppScan on Cloud / 360 SAST report, in XML format |
| sast-brakeman | Brakeman | Brakeman SAST report for Ruby, in JSON format |
| sast-checkmarx | Checkmarx | CxSAST JSON report |
| sast-checkmarx-xml | Checkmarx | CxSAST XML report |
| sast-checkmarx-one | Checkmarx One | SAST scanner of Checkmarx One, in JSON format |
| sast-checkmarx-one-results | Checkmarx One | SAST scanner of Checkmarx One, exported using 'cx results show' |
| sast-fortify-fpr | Fortify | Fortify SAST report, in .fpr or .fvdl format |
| sast-fortify-xml | Fortify | Fortify SAST XML report |
| sast-kiuwan | Kiuwan | Kiuwan SAST XML report |
| sast-opengrep | OpenGrep | OpenGrep SAST report, in JSON format |
| sast-sonarcloud | SonarCloud | SonarCloud SAST JSON report |
| sast-sonarqube | SonarQube | SonarQube JSON report |
{% hint style="info" %}
For Kiuwan, exporting the findings to a local file needs special configuration, as documented in [xygeni-extensions - Report upload for Kiuwan](https://github.com/xygeni/xygeni-extensions/blob/main/extensions/report_upload/kiuwan/README.md)
{% endhint %}
{% hint style="info" %}
AppScan SARIF output (AppScan Source v10.3+, AppScan on Cloud SAST, AppScan CodeSweep) is supported via the generic `sast-sarif` format with an AppScan-specific transformer — no separate format id is needed.
{% endhint %}
{% hint style="info" %}
For Sonar, json report can be downloaded from issues/search endpoint at [SonarCloud Web API GET api/issues/search](https://sonarcloud.io/web_api/api/issues/search?deprecated=false\§ion=params), using the parameter `additionalField=_all` to get all additional fields from the project. If maximum number of issues exceed the limit (500), query should be paginated, …
{% endhint %}
### IaC Flaws
| Format | Tool | Description |
| ------------------------- | ------------------- | -------------------------------------------------------------- |
| iac-sarif | \ | IaC vulnerabilities detected by a IaC tool, in SARIF format |
| iac-checkov | Checkov | Checkov IaC scanner, JSON format |
| iac-checkmarx | Checkmarx | IaC scanner of Checkmarx, in JSON format |
| iac-checkmarx-one | Checkmarx One | IaC scanner of Checkmarx One, in JSON format |
| iac-checkmarx-one-results | Checkmarx One | IaC scanner of Checkmarx One, exported using 'cx results show' |
| iac-kics | KICS | IaC vulnerabilities detected by KICS, in JSON format |
| iac-prisma-cloud | Prisma Cloud (CSPM) | Prisma Cloud CSPM security alerts, in JSON format |
| iac-wiz-config | Wiz CNAPP | Wiz CNAPP cloud configuration findings, in JSON format |
| iac-wiz-issues | Wiz CNAPP | Wiz CNAPP issues export, in JSON format |
### Secret Leaks
| Format | Tool | Description |
| ------------------ | ---------- | ---------------------------------------------------- |
| secrets-sarif | \ | Secrets detected by a secrets tool, in SARIF format |
| secrets-gitleaks | GitLeaks | Secrets detected by GitLeaks, in JSON format |
| secrets-trufflehog | TruffleHog | Secrets detected by TruffleHog, in JSON-lines format |
| secrets-wiz-cli | Wiz CLI | Wiz CLI scan report (secrets), in JSON format |
### DAST (Dynamic Application Security Testing)
| Format | Tool | Description |
| ----------------- | -------------------------- | --------------------------------------------------------------------------- |
| dast-acunetix-360 | Acunetix 360 | Acunetix 360 DAST report, in JSON format |
| dast-acunetix-xml | Acunetix | Acunetix DAST report, in XML format |
| dast-appscan-xml | HCL AppScan Standard/Ent. | AppScan Standard/Enterprise DAST report, in XML format (legacy referential) |
| dast-appscan-asoc | HCL AppScan on Cloud / 360 | AppScan on Cloud / 360 DAST report, in XML format (flat format) |
| dast-xguardian | XGuardian | XGuardian DAST report, in XML format |
| dast-zap | OWASP Zap | ZAP DAST report, in XML or JSON format |
### Inventory
| Format | Tool | Description |
| ---------------------- | ------------------- | -------------------------------------------------------------- |
| deps-cyclonedx | \ | CycloneDX SBOM as dependency inventory, in JSON or XML format |
| deps-spdx | \ | SPDX SBOM as dependency inventory, in JSON or tag-value format |
| inventory-prisma-cloud | Prisma Cloud (CSPM) | Prisma Cloud cloud asset inventory, in JSON format |
| inventory-trivy-k8s | Trivy | Trivy Kubernetes cluster inventory, in JSON format |
| inventory-wiz-cnapp | Wiz CNAPP | Wiz CNAPP cloud resources inventory, in JSON format |
{% hint style="info" %}
For native Kubernetes workload inventory (Deployments, StatefulSets, DaemonSets, Pods, Services, RBAC, NetworkPolicies, container images and their hierarchy) compatible with Xygeni's `inventory.1` format, use the [Kubernetes Inventory Exporter](https://github.com/xygeni/xygeni-extensions/blob/main/extensions/exporter/kubinv/README.md) — a Python script in `xygeni-extensions` that produces an `InventoryReport` JSON ready for upload with `report-upload --format inventory-xygeni`.
{% endhint %}
{% hint style="info" %}
CycloneDX and SPDX SBOMs are accepted both as **dependency inventory** (`deps-cyclonedx`, `deps-spdx`) and as **SCA findings** input (`sca-cyclonedx`, `sca-spdx`). Use the inventory form to register components without their vulnerabilities; use the SCA form to ingest vulnerabilities declared in the SBOM.
{% endhint %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.xygeni.io/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/external-scanners-supported.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.