CI/CD Scanner
Table of Contents
Purpose
A CI/CD misconfiguration in any element of the software pipeline, like a package manager, a build file, or a CI job, might open the door to attacks targeted at the organization’s DevOps chain.
The CI/CD misconfigurations Scanner is a tool that checks the configuration of the software project under analysis, and reports any misconfiguration currently active for the policy assigned to the project. Detected misconfigurations could be uploaded to Xygeni platform for consolidation and for enabling response actions.
Handling findings
Fixing a misconfiguration issue often requires changes not only in a tool configuration, but also in the activities of the software development process. The detector documentation provides a Mitigation / Fix
section that describes the recommended actions.
Quick Start
For detecting CI/CD misconfigurations found in software project with sources in current directory, the command:
xygeni misconf -n MyProject --upload
uploads the result to Xygeni platform.
For exporting the most important misconfigurations to CSV for review, or importing the findings into another tool:
xygeni misconf -n MyProject --detectors critical \
--format csv --output MyProject.misconfs.csv
Usage
The CI/CD Misconfigurations Scanner is launched using the xygeni misconf [options]
command.
For a full reference of all the available option, you can issue :
xygeni misconf --help
The most important properties are:
Name of the project,
-n
or--name
.Input, either a directory (
-d|--dir
) or a repository (-repo|--repository
). If none is given, the local current directory is assumed.Upload results to the service
--upload
. By default, results are not uploaded.Output file (
-o
or--output
) and format (-f
or--format
). If no output file is specified (or stdout / - are used), the standard output is used. Use--format=none
for no output.The detectors to run could be tailored with the
--detectors
/--skip-detectors
options. A common use-case is to consider only issues with high or critical severity with--detectors=high
.
Configuration options:
-c, --conf=<config> Configuration file (default: xygeni.
misconfigurations.yml).
--[no-]conf-download Download scanner config? (default: true}
--detectors=<detectors>
Comma-separated list of IDs for detectors to run,
PRIORITY or 'all'
--skip-detectors=<skipDetectors>
Comma-separated list of IDs for detectors to
ignore, or PRIORITY
--custom-detectors-dir=<customDetectorsDir>
Directory with custom detectors.
SCMs and CI/CD misconfigurations scanning
The CI/CD scanner performs checks against your SCM and CI/ CD systems to recover information about your repository and organization to validate if there are misconfigurations affecting them.
It is important to provide tokens with the corresponding permissions to allow the scanner to collect the data needed for analyses. If tokens are not provided, the scanner will not be able to assess your repository/organization.
Last updated