Xygeni User Guides
  • Welcome to Xygeni
  • Getting Started
    • Create a Free Trial Account
    • Quick start with your code repository
    • Quick start with Xygeni CLI
    • Quick start with a preloaded project
    • Log in to Xygeni
    • Subscribe to Xygeni
  • Introduction to Xygeni
    • Key Concepts
      • Projects in Xygeni
      • Project Baseline
      • Detected Issues
      • Remediation Actions
      • Policies
      • Risk Level
      • SDLC Inventory
      • Standards Compliance
      • GuardRails
    • Xygeni Products
    • How Xygeni works
    • Xygeni Web UI Overview
      • Projects Screen
        • Risk Level
    • Integrating Xygeni into your Workflow
    • Prioritization Funnels
      • Custom Funnels
      • Prioritization Criteria (Stages)
        • Reachability
        • Exploitability
        • Fixable
    • Guardrails
    • Generate a SBOM
    • Reports
      • Trends
      • Scan History
    • Supported Integrations
    • Customizations
  • Xygeni Products
    • Application Security Posture Management (ASPM)
      • ASPM User Interface Guide
      • All Risks
        • Statistics
        • Issues Evolution
        • Issue Comparison Between Different Scans
      • Governance
      • Inventory
        • All Assets
        • Repositories
        • Components
        • CI/CD Assets
        • Delivery Assets
        • Systems & Tools
        • Collaborators
      • Health Check
      • Inventory Scanner
        • Inventory Scanner Configuration
        • Inventory Collaborators Scan
      • Importing reports from 3rd party tools
        • External Scanners Supported
          • Report upload for Kiuwan
            • ExportRule (.java)
    • Code Security (SAST)
      • Code Security (SAST) User Interface Guide
        • Risks (SAST)
        • Malicious Code
      • Malware Scanner
        • Malware Scanner Configuration
        • Malware Detectors
      • SAST Scanner
        • SAST Scanner Configuration
    • Open Source (SCA)
      • Open Source (SCA) User Interface Guide
      • Open Source Components
      • Supported Package Managers for dependency resolution
      • Risks (SCA)
      • OSS Prioritization Funnels
      • OSS Auto-Remediation
      • Malware Early Warning (MEW)
        • How Malware Early Warning works
        • Common types of Malware found in open source packages
      • Dependency Scanner
        • Dependency scanner configuration
        • Dependency Analyzers
      • Suspect Dependencies Scanner
        • Suspect Deps Scanner Configuration
        • Suspect Deps Detectors
    • CI/CD Security
      • CI/CD Security User Interface Guide
      • CI/CD Details
      • Build Attestations
      • CI/CD Scanner
        • CI/CD Misconfigurations Scanner Configuration
      • Compliance Scanner
        • Supported compliance standards
    • Secrets Security
      • Secrets User Interface Guide
      • Secrets Scanner
        • Secrets scanner configuration
      • Secret Leaks Handling
        • Secret Leaks Handling
        • How to Prevent Hard-Coded Secrets
        • Secret Leaks Handling CheatSheet
      • Secrets Auto-Remediation
    • IaC Security
      • IaC User Interface Guide
      • IaC Scanner
        • IaC Scanner Configuration
    • Malware
    • Build Security
      • Build Security Concepts
      • Build Attestations
      • Attestation format
      • How SALT works
      • Installing Salt CLI
      • Salt Command-Line Reference
      • SALT Architecture
      • SALT How To…​
    • Anomalous Activity Detection
      • Anomalous Activity Detection User Interface Guide
      • Xygeni Sensors
        • Xygeni Sensor for Azure
        • Xygeni Sensor for BitBucket
        • Xygeni Sensor for GitHub
          • GitHub Audit Log Processing
        • Xygeni Sensor for GitLab
        • Xygeni Sensor for Jenkins
        • Anomaly Detection's Detectors
      • Code Tampering Scanner
        • Code Tampering Scanner Configuration
    • Compliance & Malware Insights
      • SSCS Compliance
      • Malicious Packages DB
  • Scan Management
    • Manage Scans
    • Scan History
  • Xygeni Scanner CLI
    • Xygeni Scanners
    • Xygeni CLI Overview
      • Xygeni CLI Prerequisites
      • Xygeni CLI Installation
      • Xygeni CLI Docker Image
      • Xygeni CLI Authentication
        • CLI Authentication with Xygeni
      • SCM, CI/ CD and Container Registry tokens
      • Xygeni CLI Operation Modes
        • Single scan
          • Scanning a docker image
        • Multi Scan
        • Organization scan
      • Xygeni CLI Configuration options
      • Xygeni CLI Output Formats
      • Exporting Xygeni results to 3rd party tools
      • Automatic Remediation
      • Generate SBOM with the Xygeni CLI
      • CLI utils
        • Credentials Encryption
        • Central Configuration
      • Xygeni Guardrails
        • CI/CD Audit Analysis
      • Xygeni CLI Error Codes
      • Xygeni Scanner Reference
  • Xygeni Administration
    • Platform Administration
      • Profile
      • Subscription
      • Users Management
      • Projects Management
      • Groups Management
      • Policies
      • Integrations
        • Xygeni Single Sign-On (SSO) Authentication
          • SSO - OKTA
          • SSO - Microsoft Entra ID
        • Integrate Scanner CLI into CI/CD Systems
          • Azure Pipelines Integration
          • BitBucket Integration
          • CircleCI Integration
          • GitHub Actions Integration
          • GitLab Runner Integration
          • Jenkins Integration
          • Travis CI Integration
        • Git Hooks with Xygeni
        • Collaboration & communication Tools
        • Ticketing Systems
        • Remediation systems
      • Notifications
    • Rest API
  • Support
  • Changelog
    • Version 5.11 - April 11, 2025
    • Version 5.9 – March 26, 2025
Powered by GitBook
On this page
  • Table of Contents
  • Purpose
  • Handling results
  • Quick Start
  • Usage
Export as PDF
  1. Xygeni Products
  2. IaC Security

IaC Scanner

PreviousIaC User Interface GuideNextIaC Scanner Configuration

Last updated 7 months ago

Table of Contents

  1. Purpose

  2. Handling Results

  3. Quick Start

  4. Usage

  5. Configuration

Purpose

Infrastructure-as-Code or IaC is a method to provision and manage IT/Cloud infrastructure through the use of source code (IaC templates) under version control, rather than through operating procedures and manual processes.

An IaC Flaw represents a "flaw" or "defect" (a non-compliance) for a certain policy, found in an Infrastructure-as-Code (IaC) template. Most flaws represent a security-related issue that adds significant risk.

Handling results

The flaws reported typically suggest a direct change in the template to fix it, documented in Mitigation / Fix section for the detector describing the recommended action.

Quick Start

For detecting security flaws in Infrastructure-as-Code (IaC) templates found in current directory, the command shown below uploads the results to Xygeni platform.

xygeni iac -n MyProject --upload

IaC scanner can be launched in two different ways:

1.- By its own specific command ( xygeni iac [options] )

2.- By the general command ( xygeni scan --run="iac" [options] )

For exporting the most important IaC flaws to CSV for review, or importing the findings into another tool:

xygeni iac -n MyProject --detectors critical \
            --format csv --output MyProject.iac_flaws.csv
       

Usage

The IaC Scanner is launched using the xygeni iac [options] command.

For a full reference of all the available option, you can issue :

xygeni iac --help

The most important properties are:

  • Name of the project, -n or --name.

  • Input, either a directory (-d|--dir) or a repository (-repo|--repository). If none given, the local current directory is assumed.

  • Upload results to the service, --upload. By default, results are not uploaded.

  • Output file (-o or --output) and format (-f or --format). If not output file (or stdout / - are used), the standard output is used. Use --format=none for no output.

  • The detectors to run could be tailored with the --detectors / --skip-detectors, --framework / --skip-framework and --cloud / --skip-cloud options. A common use-case is to consider only issues with high or critical severity with --detectors=high.

Configuration options:
  -c, --conf=<config>        Configuration file (default: xygeni.iac.yml).
      --[no-]conf-download   Download scanner config? (default: true}
  -b, --baseline=<baseline>  Baseline file (default: .xygeni.iac.baseline.
                               json). If empty, no baseline.
      --custom-detectors-dir=<customDetectorsDir>
                             Directory with custom detectors.
      --detectors=<detectors>
                             Comma-separated list of IDs for detectors to run,
                               PRIORITY or 'all'
      --skip-detectors=<skipDetectors>
                             Comma-separated list of IDs for detectors to
                               ignore, or PRIORITY
      --framework=<frameworks>
                             IaC framework to scan (arm, bicep,
                               aws_cloudformation, gcp_deployment_manager,
                               dockerfile, github_config, github_action,
                               gitlab_config, bitbucket_config, helm, json,
                               yaml, kubernetes, kustomize, serverless,
                               terraform, terraform_plan, unknown, all).
      --skip-framework=<skipFrameworks>
                             IaC framework to ignore (arm, bicep,
                               aws_cloudformation, gcp_deployment_manager,
                               dockerfile, github_config, github_action,
                               gitlab_config, bitbucket_config, helm, json,
                               yaml, kubernetes, kustomize, serverless,
                               terraform, terraform_plan, unknown, all).
      --cloud=<cloudProviders>
                             Cloud provider to include (aws, azure, gcp,
                               kubernetes, alibaba_cloud, ibm_cloud,
                               oracle_cloud, cloudstack, digitalocean,
                               openstack, docker, podman, other).
      --skip-cloud=<skipCloudProviders>
                             Cloud provider to exclude (aws, azure, gcp,
                               kubernetes, alibaba_cloud, ibm_cloud,
                               oracle_cloud, cloudstack, digitalocean,
                               openstack, docker, podman, other).

Detectors