External Scanners Supported

The xygeni report-upload command normalizes and uploads findings from third-party security tools to the Xygeni platform. The input reports are typically export formats (JSON, XML) and may follow common exchange formats like Static Analysis Results Interchange Format (SARIF) or GitLab’s Security Report Schemas.

The following is the list of third-party security scanners and report formats supported. Formats and tools are listed in alphabetical order, and Xygeni does not endorse any vendor or tool.

Go to report-upload command reference for further details.

SCA (Software Composition Analysis)

Format
Tool
Description

sca-sarif

<any>

Component vulnerabilities detected by a SCA tool, SARIF format

sca-checkmarx

Checkmarx SCA

CxSCA report, in JSON format

sca-checkmarx-one

Checkmarx One

SCA scanner of Checkmarx One, in JSON format

sca-checkmarx-one-results

Checkmarx One

SCA scanner of Checkmarx One, exported using 'cx results show'

sca-snyk

Snyk

Snyk SCA report, in JSON format

SAST (Software Application Security Testing)

Format
Tool
Description

sast-sarif

<any>

Code vulnerabilities detected by a SAST tool, in SARIF format

sast-checkmarx

Checkmarx

CxSAST JSON report

sast-checkmarx-xml

Checkmarx

CxSAST XML report

sast-checkmarx-one

Checkmarx One

SAST scanner of Checkmarx One, in JSON format

sca-checkmarx-one-results

Checkmarx One

SAST scanner of Checkmarx One, exported using 'cx results show'

sast-fortify-fpr

Fortify

Fortify SAST report, in .fpr or .fvdl format

sast-fortify-xml

Fortify

Fortify SAST XML report

sast-kiuwan

Kiuwan

Kiuwan SAST XML report

sast-sonarcloud

SonarCloud

SonarCloud SAST JSON report

sast-sonarserver

SonarServer

SonarServer SAST JSON report

For Kiuwan, exporting the findings to a local file needs special configuration, as documented in xygeni-extensions - Report upload for Kiuwan

For Sonar, json report can be downloaded from issues/search endpoint at SonarCloud Web API GET api/issues/search, using the parameter additionalField=_all to get all additional fields from project. If maximum number of issues exceed the limit (500), query should be paginated, …​

IaC Flaws

Format
Tool
Description

iac-sarif

<any>

IaC vulnerabilities detected by a IaC tool, in SARIF format

iac-checkov

Checkov

Checkov IaC scanner, JSON format

iac-kics

KICS

IaC vulnerabilities detected by KICS, in JSON format

iac-checkmarx

Checkmarx

IaC scanner of Checkmarx, in JSON format

iac-checkmarx-one

Checkmarx One

IaC scanner of Checkmarx One, in JSON format

iac-checkmarx-one-results

Checkmarx One

IaC scanner of Checkmarx One, exported using 'cx results show'

Secret Leaks

Format
Tool
Description

secrets-sarif

<any>

Secrets detected by a secrets tool, in SARIF format

secrets-gitleaks

GitLeaks

Secrets detected by GitLeaks, in JSON format

PreviousImporting reports from 3rd party toolsNextReport upload for Kiuwan

Last updated