CI/CD Scanner
Last updated
Last updated
A CI/CD misconfiguration in any element of the software pipeline, like a package manager, a build file, or a CI job, might open the door to attacks targeted at the organization’s DevOps chain.
The CI/CD misconfigurations Scanner is a tool that checks the configuration of the software project under analysis, and reports any misconfiguration currently active for the policy assigned to the project. Detected misconfigurations could be uploaded to Xygeni platform for consolidation and for enabling response actions.
Fixing a misconfiguration issue often requires changes not only in a tool configuration, but also in the activities of the software development process. The detector documentation provides a Mitigation / Fix
section that describes the recommended actions.
For detecting CI/CD misconfigurations found in software project with sources in current directory, the command:
uploads the result to Xygeni platform.
For exporting the most important misconfigurations to CSV for review, or importing the findings into another tool:
The CI/CD Misconfigurations Scanner is launched using the xygeni misconf [options]
command.
For a full reference of all the available option, you can issue :
The most important properties are:
Name of the project, -n
or --name
.
Input, either a directory (-d|--dir
) or a repository (-repo|--repository
). If none is given, the local current directory is assumed.
Upload results to the service --upload
. By default, results are not uploaded.
Output file (-o
or --output
) and format (-f
or --format
). If no output file is specified (or stdout / - are used), the standard output is used. Use --format=none
for no output.
The detectors to run could be tailored with the --detectors
/ --skip-detectors
options. A common use-case is to consider only issues with high or critical severity with --detectors=high
.
The CI/CD scanner performs checks against your SCM and CI/ CD systems to recover information about your repository and organization to validate if there are misconfigurations affecting them.
It is important to provide tokens with the corresponding permissions to allow the scanner to collect the data needed for analyses. If tokens are not provided, the scanner will not be able to assess your repository/organization.
Please see for further information.