# CI/CD Scanner

## Table of Contents

1. [Purpose](#purpose)
2. [Handling Results](#handling_findings)
3. [Quick Start](#quick_start)
4. [Usage](#usage)
5. [Configuration](https://docs.xygeni.io/xygeni-products/software-supply-chain-security-sscs/ci-cd-scanner/ci-cd-misconfigurations-scanner-configuration)
6. [Detectors](https://docs.xygeni.io/xygeni-products/software-supply-chain-security-sscs/ci-cd-misconfigurations-scanner-configuration#detectors)

### Purpose <a href="#purpose" id="purpose"></a>

A **CI/CD misconfiguration** in any element of the software pipeline, like a package manager, a build file, or a CI job, might open the door to attacks targeted at the organization’s DevOps chain.

The **CI/CD misconfigurations Scanner** is a tool that checks the configuration of the software project under analysis, and reports any misconfiguration currently active for the policy assigned to the project. Detected misconfigurations could be uploaded to Xygeni platform for consolidation and for enabling response actions.

### Handling findings <a href="#handling_findings" id="handling_findings"></a>

Fixing a misconfiguration issue often requires changes not only in a tool configuration, but also in the activities of the software development process. The detector documentation provides a `Mitigation / Fix` section that describes the recommended actions.

### Quick Start <a href="#quick_start" id="quick_start"></a>

For detecting CI/CD misconfigurations found in software project with sources in current directory, the command:

```bash
xygeni misconf -n MyProject --upload
```

uploads the result to Xygeni platform.

{% hint style="info" %}
CI/CD Misconfigurations scanner can be launched in two different ways:

1.- By its own specific command ( `xygeni iac[options]` )

2.- By the general command ( `xygeni scan --run="iac" [options]` )
{% endhint %}

For exporting the most important misconfigurations to CSV for review, or importing the findings into another tool:

```bash
xygeni misconf -n MyProject --detectors critical \
            --format csv --output MyProject.misconfs.csv
```

### Usage <a href="#usage" id="usage"></a>

The CI/CD Misconfigurations Scanner is launched using the `xygeni misconf [options]` command.

For a full reference of all the available option, you can issue :

```bash
xygeni misconf --help
```

The most important properties are:

* Name of the project, `-n` or `--name`.
* Input, either a directory (`-d|--dir`) or a repository (`-repo|--repository`). If none is given, the local current directory is assumed.
* Upload results to the service `--upload`. By default, results are not uploaded.
* Output file (`-o` or `--output`) and format (`-f` or `--format`). If no output file is specified (or stdout / - are used), the standard output is used. Use `--format=none` for no output.
* The detectors to run could be tailored with the `--detectors` / `--skip-detectors` options. A common use-case is to consider only issues with high or critical severity with `--detectors=high`.

```bash
Configuration options:
  -c, --conf=<config>        Configuration file (default: xygeni.
                               misconfigurations.yml).
      --[no-]conf-download   Download scanner config? (default: true}
      --detectors=<detectors>
                             Comma-separated list of IDs for detectors to run,
                               PRIORITY or 'all'
      --skip-detectors=<skipDetectors>
                             Comma-separated list of IDs for detectors to
                               ignore, or PRIORITY
      --custom-detectors-dir=<customDetectorsDir>
                             Directory with custom detectors.
```

### SCMs and CI/CD misconfigurations scanning&#x20;

The CI/CD scanner performs checks against your SCM and CI/ CD systems to recover information about your repository and organization to validate if there are misconfigurations affecting them.

It is important to provide tokens with the corresponding permissions to allow the scanner to collect the data needed for analyses. If tokens are not provided, the scanner will not be able to assess your repository/organization.&#x20;

{% hint style="info" %}
Please see [SCM, CI/ CD and Container Registry tokens](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/scm-ci-cd-and-container-registry-tokens) for further information.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xygeni.io/xygeni-products/software-supply-chain-security-sscs/ci-cd-scanner.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.