# Report upload for Kiuwan

[Kiuwan](https://www.kiuwan.com/) is an application security platform whose Static Application Security Testing (SAST) product detects security vulnerabilities in source code. Xygeni can ingest Kiuwan findings via two paths — pick whichever matches your Kiuwan deployment.

## Option A — Pull mode (recommended)

The scanner calls Kiuwan's native REST API directly, fetches the latest analysis, and uploads it. **No Kiuwan-side install, no Local Analyzer custom rule, no quality-model edits.** Carries source/sink data-flow detail that SARIF / CSV exports drop.

```bash
export KIUWAN_URL=https://api.kiuwan.com              # SaaS; on-prem tenants use their own URL
export KIUWAN_USER=<your Kiuwan API user code>
export KIUWAN_TOKEN=<your Kiuwan API token>

xygeni report-upload --name MyApp --pull \
  -f sast-kiuwan-api \
  --selector application='My Application'
```

With an explicit analysis + filters:

```bash
xygeni report-upload --name MyApp --pull \
  -f sast-kiuwan-api \
  --selector application='My Application' \
  --selector analysisCode=A-1234567890123 \
  --filter priority='High,Very high'
```

**Selectors**

| Selector       | Required | Notes                                                                     |
| -------------- | :------: | ------------------------------------------------------------------------- |
| `application`  |    yes   | Kiuwan application name                                                   |
| `analysisCode` |    no    | Specific scan to fetch. Default: result of `/applications/last_analysis`. |

**Filters**

| Filter           | Notes                                                                                             |
| ---------------- | ------------------------------------------------------------------------------------------------- |
| `priority`       | Comma-separated. `Very low,Low,Normal,High,Very high`.                                            |
| `characteristic` | Comma-separated. Defaults to `Security` (SAST scope); pass to widen, e.g. `Security,Reliability`. |
| `language`       | Comma-separated tool-defined language list (e.g. `java,javascript`).                              |
| `muted`          | `true` / `false`.                                                                                 |

Auth is HTTP Basic with the Kiuwan API user code as the username and the token as the password. See [Pull-mode fetch](/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/pull-mode-fetch.md) for the framework-level context (env-var redaction, retry/backoff, dry-run with `--no-upload`).

## Option B — ExportRule + Local Analyzer (legacy, file-based)

This is the original integration path. It applies to on-premise Kiuwan installations where you'd rather not give the scanner outbound network access, or where the **`sast-kiuwan-api`** pull-mode credentials aren't available.

The Kiuwan Local Analyzer doesn't expose a built-in option to write findings to a local file. Xygeni provides a custom rule — [ExportRule](/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/external-scanners-supported/report-upload-for-kiuwan/exportrule-.java.md) — that registers a post-process task to export the findings at the end of the analysis, using the standard `xml_issues` report format (the same format the Local Analyzer uses to send findings to the Kiuwan cloud service).

### Setup

#### 1. Compile the extraction rule (optional)

The rule JAR and rule descriptors are already provided in the [`dist`](https://github.com/xygeni/xygeni-extensions/blob/main/extensions/exporter/kiuwan/dist) directory for your convenience. To rebuild them yourself:

```bash
$ cd extensions/exporter/kiuwan
$ mvn package
```

The compilation copies the jar into `dist` and runs the [generate\_rules.sh](https://github.com/xygeni/xygeni-extensions/blob/main/extensions/exporter/kiuwan/bin/generate_rules.sh) script to create a rule descriptor per technology under [`dist/rules`](https://github.com/xygeni/xygeni-extensions/blob/main/extensions/exporter/kiuwan/dist/rules).

{% hint style="info" %}
Kiuwan only allows one technology per rule descriptor, so a descriptor is generated for each. The `OPT.CRITERIUM_VALUE.LANGUAGE_PARSER.<TECH>` is set on each rule descriptor.
{% endhint %}

#### 2. Install the rules and jar file

Upload the [`kiuwan-export-rule jar`](https://github.com/xygeni/xygeni-extensions/blob/main/extensions/exporter/kiuwan/dist/kiuwan-export-rule-1.0.jar) and the [rule descriptors](https://github.com/xygeni/xygeni-extensions/blob/main/extensions/exporter/kiuwan/dist/rules) to your Kiuwan tenant.

See Kiuwan's [Installing custom rules created with Kiuwan Rule Developer](https://www.kiuwan.com/docs/display/K5/Installing+custom+rules+created+with+Kiuwan+Rule+Developer) for the full procedure. You also need to add the imported rules to an existing model so the Local Analyzer downloads them.

Once rules and jar are uploaded and added to the Kiuwan model, the Local Analyzer will execute the export rule whenever the output-report environment variable is set.

#### 3. Run the scan

Run the Kiuwan Local Analyzer with the path to the report file in the `KIUWAN_JSON_REPORT` environment variable:

```bash
$ KIUWAN_JSON_REPORT=/path/to/my/report.xml
$ agent.sh -s DIR -n NAME -c
...
Report file available at: /path/to/my/report.xml
```

{% hint style="info" %}
The export rule does nothing if `KIUWAN_JSON_REPORT` is not given. The path can be absolute or relative — relative paths are resolved against `$HOME` (the OS user home directory).
{% endhint %}

#### 4. Upload the Kiuwan report to Xygeni

```bash
xygeni report-upload --report=/path/to/my/report.xml --format sast-kiuwan
```

## When to pick which

* **New integrations, SaaS Kiuwan tenants, or any tenant where the scanner can reach `api.kiuwan.com`** → use **Option A (pull mode)**. Nothing to install Kiuwan-side; richer findings.
* **Air-gapped Local Analyzer with no outbound network access**, or **existing pipelines that already publish `report.xml` to a shared location** → use **Option B (ExportRule)**.

The ExportRule custom rule and its build artifacts live in [`xygeni/xygeni-extensions`](https://github.com/xygeni/xygeni-extensions/tree/main/extensions/exporter/kiuwan) — see that repo for the Java source, the rule descriptors generator, and the prebuilt jar.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xygeni.io/xygeni-products/application-security-posture-management-aspm/importing-reports-from-3rd-party-tools/external-scanners-supported/report-upload-for-kiuwan.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.