Ctrlk

IaC Flaws Report Import

Infrastructure-as-Code security findings — misconfigurations in Terraform, CloudFormation, Kubernetes manifests, and equivalent IaC artifacts, plus Cloud Security Posture Management (CSPM) findings on the deployed resources.

How to import a report

  1. Download and configure the CLI Scanner. See these guidelines.

  2. Use the xygeni report-upload command:

    Convert + upload (a report file produced by the tool):

    xygeni report-upload -n=<Name> --report="path/to/report_file" -f=<format> [--branch="branch"]

    Pull (where supported — see the Pull mode section below):

    xygeni report-upload -n=<Name> --pull -f=<format> [--selector key=value] [--filter key=value]

    If the --branch parameter is not set, the branch will be marked as "Unknown".

  3. Move to the Xygeni dashboard to see the results.

Supported formats

Format
Tool
Description

iac-sarif

<any>

IaC vulnerabilities detected by an IaC tool, in SARIF format

iac-checkov

Checkov

Checkov IaC scanner, JSON format

iac-checkmarx

Checkmarx

IaC scanner of Checkmarx, in JSON format

iac-checkmarx-one

Checkmarx One

IaC scanner of Checkmarx One, in JSON format

iac-checkmarx-one-results

Checkmarx One

IaC scanner of Checkmarx One, exported using cx results show

iac-kics

KICS

IaC vulnerabilities detected by KICS, in JSON format

iac-prisma-cloud

Prisma Cloud

Prisma Cloud CSPM security alerts (policy violations), JSON

iac-wiz-issues

Wiz CNAPP

Wiz issues — Toxic Combinations, Threats, Cloud Misconfigurations, JSON

iac-wiz-config

Wiz CNAPP

Wiz cloud configuration findings (CSPM), JSON

Pull mode

The following formats also support pull mode — the scanner calls the tool's API directly instead of reading a report file from disk:

Format
Tool
Auth

iac-checkmarx-one

Checkmarx One

OAuth2 client credentials

iac-prisma-cloud

Prisma Cloud

Custom /login token (Prisma x-redlock-auth)

iac-wiz-issues

Wiz CNAPP

OAuth2 client credentials with audience=wiz-api

iac-wiz-config

Wiz CNAPP

OAuth2 client credentials with audience=wiz-api

See Pull-mode fetch for the per-tool walkthrough (env-var setup, selectors, filters).

Dashboard results

If the entered name matches an existing project, the vulnerabilities in the report will be added to that project in a new tab. If the project does not exist, a new project will be created.

If you are ingesting a report to an existing project and the vulnerabilities do not appear, check the branch of the project. If you have not set the --branch parameter when executing the command, Xygeni could have marked the branch as "Unknown".

PreviousSAST Report ImportNextSecrets Report Import

Last updated