search

External Scanners Supported

The xygeni report-upload command normalizes and uploads findings from third-party security tools to the Xygeni platform. The input reports are typically export formats (JSON, XML) and may follow common exchange formats like Static Analysis Results Interchange Format (SARIFarrow-up-right) or GitLab’s Security Report Schemasarrow-up-right.

The following is the list of third-party security scanners and report formats supported. Formats and tools are listed in alphabetical order. Xygeni does not endorse any vendor or tool.

Go to report-upload command reference for further details.

hashtag
SCA (Software Composition Analysis)

Format
Tool
Description

sca-sarif

<any>

Component vulnerabilities detected by a SCA tool, SARIF format

sca-checkmarx

Checkmarx SCA

CxSCA report, in JSON format

sca-checkmarx-one

Checkmarx One

SCA scanner of Checkmarx One, in JSON format

sca-checkmarx-one-results

Checkmarx One

SCA scanner of Checkmarx One, exported using 'cx results show'

sca-snyk

Snyk

Snyk SCA report, in JSON format

hashtag
SAST (Software Application Security Testing)

Format
Tool
Description

sast-sarif

<any>

Code vulnerabilities detected by a SAST tool, in SARIF format

sast-checkmarx

Checkmarx

CxSAST JSON report

sast-checkmarx-xml

Checkmarx

CxSAST XML report

sast-checkmarx-one

Checkmarx One

SAST scanner of Checkmarx One, in JSON format

sca-checkmarx-one-results

Checkmarx One

SAST scanner of Checkmarx One, exported using 'cx results show'

sast-fortify-fpr

Fortify

Fortify SAST report, in .fpr or .fvdl format

sast-fortify-xml

Fortify

Fortify SAST XML report

sast-kiuwan

Kiuwan

Kiuwan SAST XML report

sast-sonarcloud

SonarCloud

SonarCloud SAST JSON report

sast-sonarserver

SonarServer

SonarServer SAST JSON report

circle-info

For Kiuwan, exporting the findings to a local file needs special configuration, as documented in xygeni-extensions - Report upload for Kiuwanarrow-up-right

circle-info

For Sonar, json report can be downloaded from issues/search endpoint at SonarCloud Web API GET api/issues/searcharrow-up-right, using the parameter additionalField=_all to get all additional fields from the project. If maximum number of issues exceed the limit (500), query should be paginated, …​

hashtag
IaC Flaws

Format
Tool
Description

iac-sarif

<any>

IaC vulnerabilities detected by a IaC tool, in SARIF format

iac-checkov

Checkov

Checkov IaC scanner, JSON format

iac-kics

KICS

IaC vulnerabilities detected by KICS, in JSON format

iac-checkmarx

Checkmarx

IaC scanner of Checkmarx, in JSON format

iac-checkmarx-one

Checkmarx One

IaC scanner of Checkmarx One, in JSON format

iac-checkmarx-one-results

Checkmarx One

IaC scanner of Checkmarx One, exported using 'cx results show'

hashtag
Secret Leaks

Format
Tool
Description

secrets-sarif

<any>

Secrets detected by a secrets tool, in SARIF format

secrets-gitleaks

GitLeaks

Secrets detected by GitLeaks, in JSON format

hashtag
DAST (Dynamic Application Security Testing)

Format
Tool
Description

dast-acunetix-360

Acunetix

Acunetix 360 DAST report, in JSON format

dast-acunetix-xml

Acunetix

Acunetix DAST report, in XML format

dast-zap

OWASP Zap

ZAP DAST report, in XML or JSON format

PreviousDAST Report ImportNextReport upload for Kiuwan

Last updated