AI Agents Configuration

Xygeni features that use AI — AI Triage and the Xygeni Bot auto-remediation flow — share the same set of supported AI providers and the same configuration keys. Two locations are accepted:

xygenibot.yml — the Xygeni Bot configuration file (sast.ai-agents and sast.ai-remediation-agent under the sast block). Primary location, consulted first.
xygeni.yml — the main scanner configuration file (top-level ai-agents and ai-agent keys). Used as a fallback when the corresponding field is not declared in xygenibot.yml. Useful for projects that prefer to keep their scanner configuration consolidated in xygeni.yml.

Supported providers

The same list applies to both files:

Xygeni — managed Xygeni-hosted agent. Default when nothing is configured.
Anthropic
Google Gemini
Groq
OpenAI
OpenRouter

For each provider you can declare host, token, model, and free-form options. Values support environment-variable indirection with the standard ${ENV_VAR} and ${ENV_VAR:-default} patterns.

Schema in `xygeni.yml`

Add the two top-level keys to your xygeni.yml:

# conf/xygeni.yml

# ... existing scanner configuration ...

ai-agent: ${XYGENI_AI_AGENT:openai}                 # selected agent

ai-agents:
  anthropic:
    host:  ${ANTHROPIC_HOST:https://api.anthropic.com}
    token: ${ANTHROPIC_API_KEY}
    model: claude-sonnet-4-6

  openai:
    host:  ${OPENAI_HOST:https://api.openai.com/v1}
    token: ${OPENAI_API_KEY}
    model: gpt-4o

  gemini:
    host:  ${GEMINI_HOST:https://generativelanguage.googleapis.com/v1beta}
    token: ${GEMINI_TOKEN}
    model: gemini-2.5-flash

  groq:
    host:  ${GROQ_HOST:https://api.groq.com/openai/v1}
    token: ${GROQ_TOKEN}
    model: llama-3.1-8b-instant

  openrouter:
    host:  ${OPENROUTER_HOST:https://openrouter.ai/api/v1}
    token: ${OPENROUTER_TOKEN}
    model: openai/gpt-4o

  xygeni: {}                                         # use Xygeni-hosted agent

ai-agent accepts any of the provider names listed above plus global (use the agent globally configured for your account).

Both keys are optional. A xygeni.yml that does not declare them remains valid.

Schema in `xygenibot.yml`

In xygenibot.yml the same configuration lives under the sast block:

sast:
  ai-agents:
    openai:
      host:  ${OPENAI_HOST:-https://api.openai.com/v1}
      token: ${OPENAI_TOKEN}
      model: ${OPENAI_MODEL:-gpt-4o}
    # ... other providers ...

  ai-remediation-agent: openai

See Xygeni Bot for the full xygenibot.yml reference, including the rest of the SAST and SCA remediation settings.

Precedence

For AI Triage, both files are consulted on a per-field basis:

Source

Precedence

xygenibot.yml — sast.ai-agents, sast.ai-remediation-agent

Higher (consulted first)

xygeni.yml — ai-agents, ai-agent

Lower (fallback)

Defaults shipped with the scanner

Lowest

When both files declare the same field, the value in xygenibot.yml wins. The corresponding field in xygeni.yml is consulted only if xygenibot.yml does not declare it (or does not exist). Resolution is per field: a project that declares sast.ai-remediation-agent in xygenibot.yml but no sast.ai-agents block can still rely on ai-agents in xygeni.yml for the per-provider settings, and vice versa.

For Xygeni Bot auto-remediation (xygeni scan --auto-remediate), xygenibot.yml remains the source of truth — xygeni.yml is not consulted for that flow.

Moving AI Triage configuration to `xygeni.yml`

To keep all scanner configuration in a single file, you can move the AI Triage settings to xygeni.yml. Because xygenibot.yml takes precedence, the move requires both steps:

Remove sast.ai-agents and sast.ai-remediation-agent from xygenibot.yml (or remove xygenibot.yml entirely if it is not needed for auto-remediation).
Add the equivalent top-level ai-agents block and ai-agent key to xygeni.yml.

If xygenibot.yml still declares the fields, AI Triage will continue to read them from there even after xygeni.yml is updated.

If you keep both files (for example, because Xygeni Bot auto-remediation is in use), xygenibot.yml remains the effective source of truth for AI Triage and there is no need to duplicate the values in xygeni.yml.

Environment-variable indirection

Tokens, hosts, and models can reference environment variables in either file. The same resolution applies:

token: ${OPENAI_API_KEY}                        # required env var
host:  ${OPENAI_HOST:https://api.openai.com/v1} # optional, with default

Tokens are resolved through Xygeni's secure token-fetch helper; do not commit raw tokens to either file.

Validation

When the resolved agent (sast.ai-remediation-agent from xygenibot.yml, or ai-agent from xygeni.yml when falling back) maps to a provider whose ai-agents.<provider> block is missing required fields — for example, the resolved agent is openai but ai-agents.openai.token is empty after env-var expansion — AI Triage fails fast with an error pointing at the file and field that should have been present.

AI Triage — feature overview, UI flows, scan-time and CLI usage.
AI Triage (CLI) — xygeni util ai-triage reference, including the --bot-config flag.
Xygeni Bot — auto-remediation flow and full xygenibot.yml reference.

PreviousXygeni Bot NextScan History

Last updated 15 days ago

Supported providers

Schema in xygeni.yml

Schema in xygenibot.yml

Precedence

Moving AI Triage configuration to xygeni.yml

Environment-variable indirection

Validation

Related

Schema in `xygeni.yml`

Schema in `xygenibot.yml`

Moving AI Triage configuration to `xygeni.yml`