Ctrlk

SCA Report Import

Software Composition Analysis findings — vulnerabilities in third-party dependencies (open source and proprietary).

How to import a report

  1. Download and configure the CLI Scanner. See these guidelines.

  2. Use the xygeni report-upload command:

    Convert + upload (a report file produced by the tool):

    xygeni report-upload -n=<Name> --report="path/to/report_file" -f=<format> [--branch="branch"]

    Pull (where supported — see the Pull mode section below):

    xygeni report-upload -n=<Name> --pull -f=<format> --selector key=value [--filter key=value]

    If the --branch parameter is not set, the branch will be marked as "Unknown".

  3. Move to the Xygeni dashboard to see the results.

Supported formats

Format
Tool
Description

sca-sarif

<any>

Component vulnerabilities detected by an SCA tool, SARIF format

sca-appscan-asoc

HCL AppScan on Cloud / 360

AppScan on Cloud / 360 SCA report, in XML format

sca-checkmarx

Checkmarx SCA

CxSCA report, in JSON format

sca-checkmarx-one

Checkmarx One

SCA scanner of Checkmarx One, in JSON format

sca-checkmarx-one-results

Checkmarx One

SCA scanner of Checkmarx One, exported using cx results show

sca-snyk

Snyk

Snyk SCA report, in JSON format

sca-trivy

Trivy

Trivy SCA report, in JSON format

sca-wiz-cnapp

Wiz CNAPP

Wiz CNAPP vulnerability findings export, in JSON format

sca-wiz-cli

Wiz CLI

Wiz CLI scan report (vulnerabilities), in JSON format

Pull mode

The following formats also support pull mode — the scanner calls the tool's API directly instead of reading a report file from disk:

Format
Tool
Auth

sca-checkmarx-one

Checkmarx One

OAuth2 client credentials

sca-wiz-cnapp

Wiz CNAPP

OAuth2 client credentials with audience=wiz-api

See Pull-mode fetch for the per-tool walkthrough (env-var setup, selectors, filters).

Dashboard results

If the entered name matches an existing project, the vulnerabilities in the report will be added to that project in a new tab. If the project does not exist, a new project will be created.

If you are ingesting a report to an existing project and the vulnerabilities do not appear, check the branch of the project. If you have not set the --branch parameter when executing the command, Xygeni could have marked the branch as "Unknown".

PreviousPull-mode fetchNextSAST Report Import

Last updated