# External Scanners Supported The `xygeni report-upload` command normalizes and uploads findings from third-party security tools to the Xygeni platform. The input reports are typically export formats (JSON, XML) and may follow common exchange formats like *Static Analysis Results Interchange Format* ([SARIF](https://sarifweb.azurewebsites.net/)) or GitLab’s [Security Report Schemas](https://gitlab.com/gitlab-org/security-products/security-report-schemas). The following is the list of third-party security scanners and report formats supported. The list of supported formats can also be listed by running the *`report-upload --show-formats`* command within the Xygeni scanner. Formats and tools are listed in alphabetical order. Xygeni does not endorse any vendor or tool. Go to [report-upload command reference](https://docs.xygeni.io/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools) for further details. ### SCA (Software Composition Analysis) | Format | Tool | Description | | ------------------------- | ------------- | -------------------------------------------------------------- | | sca-sarif | \ | Component vulnerabilities detected by a SCA tool, SARIF format | | sca-checkmarx | Checkmarx SCA | CxSCA report, in JSON format | | sca-checkmarx-one | Checkmarx One | SCA scanner of Checkmarx One, in JSON format | | sca-checkmarx-one-results | Checkmarx One | SCA scanner of Checkmarx One, exported using 'cx results show' | | sca-snyk | Snyk | Snyk SCA report, in JSON format | | sca-trivy | Trivy | Trivy SCA report, in JSON format | ### SAST (Software Application Security Testing) | Format | Tool | Description | | ------------------------- | ------------- | --------------------------------------------------------------- | | sast-sarif | \ | Code vulnerabilities detected by a SAST tool, in SARIF format | | sast-brakeman | Brakeman | Brakeman SAST report for Ruby, in JSON format | | sast-checkmarx | Checkmarx | CxSAST JSON report | | sast-checkmarx-xml | Checkmarx | CxSAST XML report | | sast-checkmarx-one | Checkmarx One | SAST scanner of Checkmarx One, in JSON format | | sca-checkmarx-one-results | Checkmarx One | SAST scanner of Checkmarx One, exported using 'cx results show' | | sast-fortify-fpr | Fortify | Fortify SAST report, in .fpr or .fvdl format | | sast-fortify-xml | Fortify | Fortify SAST XML report | | sast-kiuwan | Kiuwan | Kiuwan SAST XML report | | sast-opengrep | OpenGrep | OpenGrep SAST report, in JSON format | | sast-sonarcloud | SonarCloud | SonarCloud SAST JSON report | | sast-sonarserver | SonarServer | SonarServer SAST JSON report | | sast-sonarqube | SonarQube | SonarQube JSON report | {% hint style="info" %} For Kiuwan, exporting the findings to a local file needs special configuration, as documented in [xygeni-extensions - Report upload for Kiuwan](https://github.com/xygeni/xygeni-extensions/blob/main/extensions/report_upload/kiuwan/README.md) {% endhint %} {% hint style="info" %} For Sonar, json report can be downloaded from issues/search endpoint at [SonarCloud Web API GET api/issues/search](https://sonarcloud.io/web_api/api/issues/search?deprecated=false\§ion=params), using the parameter `additionalField=_all` to get all additional fields from the project. If maximum number of issues exceed the limit (500), query should be paginated, …​ {% endhint %} ### IaC Flaws | Format | Tool | Description | | ------------------------- | ------------- | -------------------------------------------------------------- | | iac-sarif | \ | IaC vulnerabilities detected by a IaC tool, in SARIF format | | iac-checkov | Checkov | Checkov IaC scanner, JSON format | | iac-checkmarx | Checkmarx | IaC scanner of Checkmarx, in JSON format | | iac-checkmarx-one | Checkmarx One | IaC scanner of Checkmarx One, in JSON format | | iac-checkmarx-one-results | Checkmarx One | IaC scanner of Checkmarx One, exported using 'cx results show' | | iac-kics | KICS | IaC vulnerabilities detected by KICS, in JSON format | ### Secret Leaks | Format | Tool | Description | | ------------------ | ---------- | ---------------------------------------------------- | | secrets-sarif | \ | Secrets detected by a secrets tool, in SARIF format | | secrets-gitleaks | GitLeaks | Secrets detected by GitLeaks, in JSON format | | secrets-trufflehog | TruffleHog | Secrets detected by TruffleHog, in JSON-lines format | ### DAST (Dynamic Application Security Testing) | Format | Tool | Description | | ----------------- | --------- | ---------------------------------------- | | dast-acunetix-360 | Acunetix | Acunetix 360 DAST report, in JSON format | | dast-acunetix-xml | Acunetix | Acunetix DAST report, in XML format | | dast-zap | OWASP Zap | ZAP DAST report, in XML or JSON format | ### Inventory
FormatToolDescription
inventory-trivy-k8sTrivyTrivy Kubernetes cluster inventory, in JSON format