CI/CD Scanner

Table of Contents

  1. Purpose

  2. Handling Results

  3. Quick Start

  4. Usage

  5. Configuration

  6. Detectors

Purpose

A CI/CD misconfiguration in any element of the software pipeline, like a package manager, a build file, or a CI job, might open the door to attacks targeted at the organization’s DevOps chain.

The CI/CD misconfigurations Scanner is a tool that checks the configuration of the software project under analysis, and reports any misconfiguration currently active for the policy assigned to the project. Detected misconfigurations could be uploaded to Xygeni platform for consolidation and for enabling response actions.

Handling findings

Fixing a misconfiguration issue often requires changes not only in a tool configuration, but also in the activities of the software development process. The detector documentation provides a Mitigation / Fix section that describes the recommended actions.

Quick Start

For detecting CI/CD misconfigurations found in software project with sources in current directory, the command:

xygeni misconf -n MyProject --upload

uploads the result to Xygeni platform.

CI/CD Misconfigurations scanner can be launched in two different ways:

1.- By its own specific command ( xygeni iac[options] )

2.- By the general command ( xygeni scan --run="iac" [options] )

For exporting the most important misconfigurations to CSV for review, or importing the findings into another tool:

xygeni misconf -n MyProject --detectors critical \
            --format csv --output MyProject.misconfs.csv

Usage

The CI/CD Misconfigurations Scanner is launched using the xygeni misconf [options] command.

For a full reference of all the available option, you can issue :

xygeni misconf --help

The most important properties are:

  • Name of the project, -n or --name.

  • Input, either a directory (-d|--dir) or a repository (-repo|--repository). If none is given, the local current directory is assumed.

  • Upload results to the service --upload. By default, results are not uploaded.

  • Output file (-o or --output) and format (-f or --format). If no output file is specified (or stdout / - are used), the standard output is used. Use --format=none for no output.

  • The detectors to run could be tailored with the --detectors / --skip-detectors options. A common use-case is to consider only issues with high or critical severity with --detectors=high.

Configuration options:
  -c, --conf=<config>        Configuration file (default: xygeni.
                               misconfigurations.yml).
      --[no-]conf-download   Download scanner config? (default: true}
      --detectors=<detectors>
                             Comma-separated list of IDs for detectors to run,
                               PRIORITY or 'all'
      --skip-detectors=<skipDetectors>
                             Comma-separated list of IDs for detectors to
                               ignore, or PRIORITY
      --custom-detectors-dir=<customDetectorsDir>
                             Directory with custom detectors.

SCMs and CI/CD misconfigurations scanning

The CI/CD scanner performs checks against your SCM and CI/ CD systems to recover information about your repository and organization to validate if there are misconfigurations affecting them.

It is important to provide tokens with the corresponding permissions to allow the scanner to collect the data needed for analyses. If tokens are not provided, the scanner will not be able to assess your repository/organization.

Please see SCM, CI/ CD and Container Registry tokens for further information.

PreviousBuild AttestationsNextCI/CD Misconfigurations Scanner Configuration

Last updated