# Inventory Scanner ## Table of Contents 1. [Purpose](#purpose) 2. [Quick Start](#quick_start) 3. [Usage](#usage) 4. [Configuration](https://docs.xygeni.io/xygeni-products/application-security-posture-management-aspm/inventory-scanner/inventory-scanner-configuration) 5. [Collaborators Scan](https://docs.xygeni.io/xygeni-products/application-security-posture-management-aspm/inventory-scanner/inventory-collaborators-scan) ### Purpose A **build/deploy pipeline** automates software delivery through a series of processes and tools. These include source control, build tools, continuous integration, automated testing (unit, integration, and regression tests), validation, reporting, and software distribution. The assets involved in build/deploy pipelines are called **SDLC assets**, and in the Xygeni platform an **inventory of SDLC assets** and their relations, for the pipelines used in an organization, are discovered automatically. Security issues and unusual activity events, as captured by the Xygeni platform, In build/deploy pipelines, the assets involved are referred to as **SDLC assets**. The Xygeni platform automatically discovers an **inventory of SDLC assets** and their relationship within an organization's pipelines. Security issues and unusual activity detected by Xygeni is subsequently mapped to the target SDLC assets. Use the `xygeni inventory` CLI command to discover SDLC assets. Discovery involves extracting information from available sources like project and dependency descriptors, build files, CI/CD workflow pipelines, and IaC templates. This process can be enhanced by utilizing the tools APIs to fetch additional data for better qualifying each asset discovered. {% hint style="info" %} For more details about the **inventory** please refer to the [Inventory](https://docs.xygeni.io/xygeni-products/application-security-posture-management-aspm/inventory) documentation. {% endhint %} ### Quick Start The CLI command to run an inventory scan: ```bash xygeni inventory --dir DIR --upload ``` This scans for assets related to build/deployment pipelines to compile an inventory. Then upload the results to the Xygeni platform unless you use `--no-upload` instead. {% hint style="info" %} **`--dir`** specifies the directory containing the software project to analyze, which may have been cloned from a Git repository. {% endhint %} {% hint style="info" %} There are two ways to run the inventory scanner: 1.- Executing its own specific command ( `xygeni inventory [options]` ). 2.- Executing the general command ( `xygeni scan --run="inventory" [options]` ) will run all available scanners. {% endhint %} {% hint style="info" %} Issues are linked to inventory assets **ONLY** when the scans are run together with the inventory step. It is recommended to run a full [`scan` command](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/xygeni-cli-operation-modes/single-scan#xygeni-scan) for inventory processing. **Running** the `inventory` scan **alone** should be used for **configuration** and **testing**. {% endhint %} The CLI command produces the following output: ``` Assets found: 69 ┌───────────────────┬─────────────────────────────┬───────────────────────────────────┬────┐ │ Kind │Name │Belongs To │Tags│ ├───────────────────┼─────────────────────────────┼───────────────────────────────────┼────┤ │ code_repo │myorg/ProductXYZ │ │ │ ├───────────────────┼─────────────────────────────┼───────────────────────────────────┼────┤ │ cicd_pipeline │clean-packages │code_repo:github:myorg/ProductXYZ │ │ ├───────────────────┼─────────────────────────────┼───────────────────────────────────┼────┤ │ cicd_pipeline │codeql-analysis │code_repo:github:myorg/ProductXYZ │ │ ├───────────────────┼─────────────────────────────┼───────────────────────────────────┼────┤ │ cicd_pipeline │deploy-maven │code_repo:github:myorg/ProductXYZ │ │ ├───────────────────┼─────────────────────────────┼───────────────────────────────────┼────┤ │ ... ├───────────────────┼─────────────────────────────┼───────────────────────────────────┼────┤ │ dependencies │docs │code_repo:github:myorg/ProductXYZ │ │ ├───────────────────┼─────────────────────────────┼───────────────────────────────────┼────┤ │ security_tool │CodeQL │code_repo:github:myorg/ProductXYZ │ │ ├───────────────────┼─────────────────────────────┼───────────────────────────────────┼────┤ │cloud_configuration│deployment/docker/Dockerfile │code_repo:github:myorg/ProductXYZ │ │ ├───────────────────┼─────────────────────────────┼───────────────────────────────────┼────┤ │ organization │myorg │ │ │ └───────────────────┴─────────────────────────────┴───────────────────────────────────┴────┘ 2023-03-28 18:30:26 [main] WARN InventoryCommand - report uploaded with analysis code: AN-demo@myorg-184 ``` The command has the following options: ``` Usage: xygeni inventory [-huV] [-n=] [-d=] [-e=] [-i=] [-repo=] [--repo-branch=] [--image=] [--image-platform=] [--image-sources=] [--image-scope=] [-o=] [-f=] [--report-columns=] [-c=] [--[no-]conf-download] [--detectors=] [--skip-detectors=] [--never-fail] [@...] Discover SDLC assets for a project. Parameters: [@...] One or more argument files containing options. -n, --name= The software name. -u, --upload Upload report to xygeni server. -h, --help Show this help message and exit. -V, --version Print version information and exit. Input files options: -d, --dir= The directory to analyze (default: current directory). -i, --include= Include patterns, comma-separated (optional). -e, --exclude= Exclude patterns, comma-separated (optional). Example: '**/test/**' Repository options: -repo, --repository= The repository. Either a URL or scm:owner/repo, like 'github:tensorflow/tensorflow' --repo-branch= The repository branch or commit SHA to checkout for analysis. HEAD if unspecified. Container image options: --image= The container image, in registry/repository/image:tag format. Examples: debian, alpine:latest, cgr.dev/chainguard/go, gcr.io/google-containers/python@sha256:fe...4b --image-platform= The image platform in the form os/arch, if image is multi-platform. --image-sources=sources The image source(s) to use, comma-separated in order. Defaults to docker, containerd, podman, remote. --image-scope= How layers are analyzed. One of merged, mergedExceptBase, byLayer, byLayerExceptBase. Default: merged. Output options: -o, --output= Output file. Use 'stdout' or '-' for standard output, 'stderr' for standard error. -f, --format= Output format: none, text, json, csv. --report-columns= Report columns, separated by commas (default: config property report/columns) Collaborators: --include-collaborators If repository collaborators should be added to inventory. Configuration options: -c, --conf= Configuration file (default: xygeni.inventory.yml). --[no-]conf-download Download scanner config? (default: true} --detectors= Comma-separated list of IDs for detectors to run, or 'all' --skip-detectors= Comma-separated list of IDs for detectors to ignore Exit options: --never-fail Do not fail: always exit with code 0, even with flaws or errors. ``` The most important properties are: * **Name** of the project `-n` or `--name`. * Specify either a directory (`-d|--dir`), a repository (`-repo|--repository`), or a container image (`--image`). If none is provided, the current local directory is assumed. * Enable the `--upload` option to upload results. Results are not uploaded by default. * Specify the output file with the `-o` or `--output` option and the format with `-f` or `--format`. If no output file is specified, or if `stdout` or `-` is used, the standard output is the default. Use `--format=none` if you do not want to generate any output.