Ctrlk

SAST Report Import

Static Application Security Testing findings — code vulnerabilities detected by source-code analysis.

How to import a report

  1. Download and configure the CLI Scanner. See these guidelines.

  2. Use the xygeni report-upload command:

    Convert + upload (a report file produced by the tool):

    xygeni report-upload -n=<Name> --report="path/to/report_file" -f=<format> [--branch="branch"]

    Pull (where supported — see the Pull mode section below):

    xygeni report-upload -n=<Name> --pull -f=<format> --selector key=value [--filter key=value]

    If the --branch parameter is not set, the branch will be marked as "Unknown".

  3. Move to the Xygeni dashboard to see the results.

Supported formats

Format
Tool
Description

sast-sarif

<any>

Code vulnerabilities detected by a SAST tool, in SARIF format

sast-appscan-xml

HCL AppScan Source

AppScan Source SAST report, in XML format (legacy referential format)

sast-appscan-asoc

HCL AppScan on Cloud / 360

AppScan on Cloud / 360 SAST report, in XML format

sast-brakeman

Brakeman

Brakeman SAST report for Ruby, in JSON format

sast-checkmarx

Checkmarx

CxSAST JSON report

sast-checkmarx-xml

Checkmarx

CxSAST XML report

sast-checkmarx-one

Checkmarx One

SAST scanner of Checkmarx One, in JSON format

sast-checkmarx-one-results

Checkmarx One

SAST scanner of Checkmarx One, exported using cx results show

sast-fortify-fpr

Fortify

Fortify SAST report, in .fpr or .fvdl format

sast-fortify-xml

Fortify

Fortify SAST XML report

sast-kiuwan

Kiuwan

Kiuwan SAST XML report (via Local Analyzer + ExportRule)

sast-kiuwan-api

Kiuwan

Kiuwan SAST findings via the native REST API (pull mode only)

sast-opengrep

OpenGrep

OpenGrep SAST report, in JSON format

sast-sonarcloud

SonarCloud

SonarCloud SAST JSON report

sast-sonarserver

SonarServer

SonarServer SAST JSON report

sast-sonarqube

SonarQube

SonarQube JSON report

Pull mode

The following formats also support pull mode — the scanner calls the tool's API directly instead of reading a report file from disk:

Format
Tool
Auth

sast-sonarcloud

SonarCloud

Bearer token

sast-sonarqube

SonarQube

Basic auth (token-as-username)

sast-kiuwan-api

Kiuwan

Basic auth (API user + token) — recommended for new Kiuwan integrations; see the Report upload for Kiuwan page

sast-checkmarx-one

Checkmarx One

OAuth2 client credentials

See Pull-mode fetch for the per-tool walkthrough (env-var setup, selectors, filters).

For Sonar, the convert+upload JSON can be downloaded from the SonarCloud Web API GET api/issues/search endpoint, using additionalField=_all to get all additional fields. If the number of issues exceeds 500, paginate the request — or use pull mode, which does this automatically.

Dashboard results

If the entered name matches an existing project, the vulnerabilities in the report will be added to that project in a new tab. If the project does not exist, a new project will be created.

If you are ingesting a report to an existing project and the vulnerabilities do not appear, check the branch of the project. If you have not set the --branch parameter when executing the command, Xygeni could have marked the branch as "Unknown".

PreviousSCA Report ImportNextIaC Flaws Report Import

Last updated