# External Scanners Supported
The `xygeni report-upload` command normalizes and uploads findings from third-party security tools to the Xygeni platform. The input reports are typically export formats (JSON, XML) and may follow common exchange formats like *Static Analysis Results Interchange Format* ([SARIF](https://sarifweb.azurewebsites.net/)) or GitLab’s [Security Report Schemas](https://gitlab.com/gitlab-org/security-products/security-report-schemas).
The following is the list of third-party security scanners and report formats supported. The list of supported formats can also be listed by running the *`report-upload --show-formats`* command within the Xygeni scanner. Formats and tools are listed in alphabetical order. Xygeni does not endorse any vendor or tool.
Go to [report-upload command reference](/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools.md) for further details.
### SCA (Software Composition Analysis)
| Format | Tool | Description |
| ------------------------- | ------------- | -------------------------------------------------------------- |
| sca-sarif | \ | Component vulnerabilities detected by a SCA tool, SARIF format |
| sca-checkmarx | Checkmarx SCA | CxSCA report, in JSON format |
| sca-checkmarx-one | Checkmarx One | SCA scanner of Checkmarx One, in JSON format |
| sca-checkmarx-one-results | Checkmarx One | SCA scanner of Checkmarx One, exported using 'cx results show' |
| sca-snyk | Snyk | Snyk SCA report, in JSON format |
| sca-trivy | Trivy | Trivy SCA report, in JSON format |
### SAST (Software Application Security Testing)
| Format | Tool | Description |
| ------------------------- | ------------- | --------------------------------------------------------------- |
| sast-sarif | \ | Code vulnerabilities detected by a SAST tool, in SARIF format |
| sast-brakeman | Brakeman | Brakeman SAST report for Ruby, in JSON format |
| sast-checkmarx | Checkmarx | CxSAST JSON report |
| sast-checkmarx-xml | Checkmarx | CxSAST XML report |
| sast-checkmarx-one | Checkmarx One | SAST scanner of Checkmarx One, in JSON format |
| sca-checkmarx-one-results | Checkmarx One | SAST scanner of Checkmarx One, exported using 'cx results show' |
| sast-fortify-fpr | Fortify | Fortify SAST report, in .fpr or .fvdl format |
| sast-fortify-xml | Fortify | Fortify SAST XML report |
| sast-kiuwan | Kiuwan | Kiuwan SAST XML report |
| sast-opengrep | OpenGrep | OpenGrep SAST report, in JSON format |
| sast-sonarcloud | SonarCloud | SonarCloud SAST JSON report |
| sast-sonarserver | SonarServer | SonarServer SAST JSON report |
| sast-sonarqube | SonarQube | SonarQube JSON report |
{% hint style="info" %}
For Kiuwan, exporting the findings to a local file needs special configuration, as documented in [xygeni-extensions - Report upload for Kiuwan](https://github.com/xygeni/xygeni-extensions/blob/main/extensions/report_upload/kiuwan/README.md)
{% endhint %}
{% hint style="info" %}
For Sonar, json report can be downloaded from issues/search endpoint at [SonarCloud Web API GET api/issues/search](https://sonarcloud.io/web_api/api/issues/search?deprecated=false\§ion=params), using the parameter `additionalField=_all` to get all additional fields from the project. If maximum number of issues exceed the limit (500), query should be paginated, …
{% endhint %}
### IaC Flaws
| Format | Tool | Description |
| ------------------------- | ------------- | -------------------------------------------------------------- |
| iac-sarif | \ | IaC vulnerabilities detected by a IaC tool, in SARIF format |
| iac-checkov | Checkov | Checkov IaC scanner, JSON format |
| iac-checkmarx | Checkmarx | IaC scanner of Checkmarx, in JSON format |
| iac-checkmarx-one | Checkmarx One | IaC scanner of Checkmarx One, in JSON format |
| iac-checkmarx-one-results | Checkmarx One | IaC scanner of Checkmarx One, exported using 'cx results show' |
| iac-kics | KICS | IaC vulnerabilities detected by KICS, in JSON format |
### Secret Leaks
| Format | Tool | Description |
| ------------------ | ---------- | ---------------------------------------------------- |
| secrets-sarif | \ | Secrets detected by a secrets tool, in SARIF format |
| secrets-gitleaks | GitLeaks | Secrets detected by GitLeaks, in JSON format |
| secrets-trufflehog | TruffleHog | Secrets detected by TruffleHog, in JSON-lines format |
### DAST (Dynamic Application Security Testing)
| Format | Tool | Description |
| ----------------- | --------- | ---------------------------------------- |
| dast-acunetix-360 | Acunetix | Acunetix 360 DAST report, in JSON format |
| dast-acunetix-xml | Acunetix | Acunetix DAST report, in XML format |
| dast-zap | OWASP Zap | ZAP DAST report, in XML or JSON format |
### Inventory
Format
Tool
Description
inventory-trivy-k8s
Trivy
Trivy Kubernetes cluster inventory, in JSON format
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.xygeni.io/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/external-scanners-supported.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.