# Exporting Xygeni results to 3rd party tools

## xygeni scan --send-to

{% hint style="info" %}
The **`--send-to=TARGET`** option exports the scanner results to the target system.&#x20;

This could be combined with upload to the Xygeni platform if your organization prefers to manage the scan issues found in the target system, often a source code manager (SCM), or SOAR / SIEM platform.
{% endhint %}

The following supported values for `TARGET` could be used for integrating into different external tools.

### **For integration into GitHub**

#### **GitHub Alerts**

`github/alert`, which uses the GitHub Code-Scanning API to upload the issues to GitHub Code Scanning. This needs Code Scanning support available, which happens with public repositories or private repositories with code scanning enabled (Enterprise edition only).

<figure><img src="https://4096647782-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUTz59rJLkJBjiRWAMknU%2Fuploads%2FsN43OoF9B6gpNM0pMaDo%2Fimage.png?alt=media&#x26;token=da3d00f7-e538-44d2-8cf2-c98e1e748a84" alt="" width="563"><figcaption></figcaption></figure>

See [SCM and CI/ CD tokens](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/scm-ci-cd-and-container-registry-tokens) for details on how to configure the GitHub token needed for creating GitHub Code Scanning alerts. If you run the Xygeni Scanner using GitHub Actions, the token needs the `security-events: write` permission to create the alerts. You may use the following section in the GitHub workflow YAML:

```yaml
permissions:
  actions: read
  contents: read
  security-events: write
```

#### **GitHub Status**

`github/status`. which uses Commit Statuses to report the scan results. For a given commit, a status is a short checkpoint showing if the Xygeni scan passes or found important issues. A table with the issues is shown in a comment for the commit. This capability is available in all GitHub editions, even for private repositories.&#x20;

<figure><img src="https://4096647782-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUTz59rJLkJBjiRWAMknU%2Fuploads%2FKneQY1g18HKdNHGRBOZE%2Fimage.png?alt=media&#x26;token=2c41f090-f6dc-4ff6-a62a-04d7d756b50c" alt="" width="563"><figcaption></figcaption></figure>

Code Scanning alerts are more informative and actionable, but require *Code Scanning*, which is only available under certain circumstances. GitHub *Commit Status* is a simpler feature available generally.

### **For integration into GitLab**

#### **GitLab Alerts**

GitLab provides a mechanism for [integrating findings from external security scanners](https://docs.gitlab.com/ee/development/integrations/secure.html). This mechanism consists in creating a CI job definition to invoke the scanner, which must generate a JSON file in the sources directory, in a format accepted by GitLab with a naming convention. The Xygeni scanner generates such file when possible (when the scan results are compatible with the vulnerabilities-based security findings in GitLab), using the `--send-to=gitlab/alerts` scanner option.

The following is an example job that could be added to the GitLab `.gitlab-ci`

```yaml
# This is a GitLab job invoking the scanner for secrets
# XYGENI_TOKEN must be a protected variable or a Vault secret
xygeni_call:
  stage: test
  allow_failure: true
  script:
    - >
      curl -L https://get.xygeni.io/latest/scanner/install.sh |
      /bin/bash -s -- -o -t $XYGENI_TOKEN
    - >
      $HOME/.xygeni/xygeni secrets -n "$PROJECT_NAME" --dir "$PROJECT_HOME"
      --send-to=gitlab/alerts
  artifacts:
    reports:
      # Key: Filename, see following table
      secret_detection: gl-xygeni-secrets-secret-detection.json
```

The following are the scan commands that support export to GitLab, with the values for the report key and filename to use in the `artifacts:reports:` section of the job definition:

| Scan                 | Key                  | Filename                                         |
| -------------------- | -------------------- | ------------------------------------------------ |
| Secrets              | secret\_detection    | gl-xygeni-secrets-secret-detection.json          |
| Code Tampering       | sast                 | gi-xygeni-codetamper-sast.json                   |
| Suspect dependencies | dependency\_scanning | gl-xygeni-badcomponents-dependency-scanning.json |
| IaC flaws            | sast                 | gi-xygeni-iac-sast.json                          |

The Xygeni scanner findings are shown in different places in the GitLab UI, depending on the edition.

**Examples:**

```console
xygeni secrets --dir PATH --upload --send-to=github/alert
```

Runs a [secrets scan](https://docs.xygeni.io/xydocs/secrets/SecretsScanner.html). The secret leaks found will be uploaded to Xygeni and to GitHub, so they will be seen in the GitHub’s Code Scanning alerts.

```console
xygeni scan --dir PATH --send-to=github/status --run=codetamper,suspectdeps,secrets,iac,compliance
```

Runs a partial scan of the specified kinds. The secret leaks found will be uploaded to Xygeni (the default) and to GitHub as Commit Status. You may add `--no-upload` to skip uploading to Xygeni.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/exporting-xygeni-results-to-3rd-party-tools.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.