A build/deploy pipeline is based on a set of automated processes and tools, involving source control, build tools, continuous integration, testing automation (unit, integration and regression testing), validation, reporting, and distribution of software.
The assets involved in build/deploy pipeline are named SDLC assets, and in the Xygeni platform an inventory of SDLC assets and their relations, for the pipelines used in an organization, is discovered automatically. Security issues and unusual activity events, as captured by the Xygeni platform, are then mapped to the target SDLC assets.
For discovering SDLC assets at scan time, the xygeni inventory scanner command may be used.
Discovery works by extracting the information from the available sources, like project and dependencies descriptors, build files, pipelines describing the CI/CD workflows, IaC templates, possibly complemented via calls to the tools' APIs, that fetch additional information for better qualifying each asset discovered.
For additional information on the inventory and how it is used in the Xygeni platform, see Inventory.
Quick Start
The command:
xygeniinventory--dirDIR--upload
scans software projects for assets related to software build & deploy pipelines, build the inventory and uploads the result to Xygeni platform (where DIR is the directory with the software project to analyze, possibly cloned from a Git repository).
Inventory scanner can be launched in two different ways:
1.- By its own specific command ( xygeni inventory [options] )
2.- By the general command ( xygeni scan --run="inventory" [options] )
Issues are linked to inventory assets ONLY when the scans are run together with the inventory step. It is recommended to run a full scan command for inventory processing. Running the inventory scan alone should be used for configuration and testing.
Usage:
xygeni inventory [-huV] [-n=<name>]
[-d=<directory>] [-e=<excludePatterns>] [-i=<includePatterns>]
[-repo=<repo>] [--repo-branch=<repoBranch>]
[--image=<image>] [--image-platform=<platform>]
[--image-sources=<sources>] [--image-scope=<scope>]
[-o=<output>] [-f=<format>] [--report-columns=<reportColumns>]
[-c=<config>] [--[no-]conf-download]
[--detectors=<detectors>] [--skip-detectors=<skipDetectors>]
[--never-fail] [@<filename>...]
Discover SDLC assets for project.
Parameters:
[@<filename>...] One or more argument files containing options.
-n, --name=<name> The software name.
-u, --upload Upload report to xygeni server.
-h, --help Show this help message and exit.
-V, --version Print version information and exit.
Input files options:
-d, --dir=<directory> The directory to analyze (default: current directory).
-i, --include=<includePatterns>
Include patterns, comma-separated (optional).
-e, --exclude=<excludePatterns>
Exclude patterns, comma-separated (optional).
Example: '**/test/**'
Repository options:
-repo, --repository=<repo> The repository. Either a URL or scm:owner/repo,
like 'github:tensorflow/tensorflow'
--repo-branch=<ref> The repository branch or commit SHA to checkout for analysis.
HEAD if unspecified.
Container image options:
--image=<image> The container image, in registry/repository/image:tag format.
Examples: debian, alpine:latest, cgr.dev/chainguard/go,
gcr.io/google-containers/python@sha256:fe...4b
--image-platform=<platform>
The image platform in the form os/arch, if image is multi-platform.
--image-sources=sources
The image source(s) to use, comma-separated in order.
Defaults to docker, containerd, podman, remote.
--image-scope=<scope> How layers are analyzed. One of merged, mergedExceptBase, byLayer,
byLayerExceptBase. Default: merged.
Output options:
-o, --output=<output> Output file. Use 'stdout' or '-' for standard output, 'stderr' for standard error.
-f, --format=<format> Output format: none, text, json, csv.
--report-columns=<reportColumns>
Report columns, separated by commas (default:
config property report/columns)
Collaborators:
--include-collaborators
If repository collaborators should be added to inventory.
Configuration options:
-c, --conf=<config> Configuration file (default: xygeni.inventory.yml).
--[no-]conf-download Download scanner config? (default: true}
--detectors=<detectors>
Comma-separated list of IDs for detectors to run, or 'all'
--skip-detectors=<skipDetectors>
Comma-separated list of IDs for detectors to ignore
Exit options:
--never-fail Do not fail: always exit with code 0, even with flaws or errors.
The most important properties are:
Name of the project, -n or --name.
Input, either a directory (-d|--dir), a repository (-repo|--repository) or a container image (--image). If none given, the local current directory is assumed.
Upload results to the service, --upload. By default, results are not uploaded.
Output file (-o or --output) and format (-f or --format). If not output file (or stdout / - are used), the standard output is used. Use --format=none for no output.
