Xygeni User Guides
  • Welcome to Xygeni
  • Getting Started
    • Create a Free Trial Account
    • Quick start with your code repository
    • Quick start with Xygeni CLI
    • Quick start with a preloaded project
    • Log in to Xygeni
    • Subscribe to Xygeni
  • Introduction to Xygeni
    • Key Concepts
      • Projects in Xygeni
      • Project Baseline
      • Detected Issues
      • Remediation Actions
      • Policies
      • Risk Level
      • SDLC Inventory
      • Standards Compliance
      • GuardRails
    • Xygeni Products
    • How Xygeni works
    • Xygeni Web UI Overview
      • Projects Screen
        • Risk Level
    • Integrating Xygeni into your Workflow
    • Prioritization Funnels
      • Custom Funnels
      • Prioritization Criteria (Stages)
        • Reachability
        • Exploitability
        • Fixable
    • Guardrails
    • Generate a SBOM
    • Reports
      • Trends
      • Scan History
    • Supported Integrations
    • Customizations
  • Xygeni Products
    • Application Security Posture Management (ASPM)
      • ASPM User Interface Guide
      • All Risks
        • Statistics
        • Issues Evolution
        • Issue Comparison Between Different Scans
      • Governance
      • Inventory
        • All Assets
        • Repositories
        • Components
        • CI/CD Assets
        • Delivery Assets
        • Systems & Tools
        • Collaborators
      • Health Check
      • Inventory Scanner
        • Inventory Scanner Configuration
        • Inventory Collaborators Scan
      • Importing reports from 3rd party tools
        • External Scanners Supported
          • Report upload for Kiuwan
            • ExportRule (.java)
    • Code Security (SAST)
      • Code Security (SAST) User Interface Guide
        • Risks (SAST)
        • Malicious Code
      • Malware Scanner
        • Malware Scanner Configuration
        • Malware Detectors
      • SAST Scanner
        • SAST Scanner Configuration
    • Open Source (SCA)
      • Open Source (SCA) User Interface Guide
      • Open Source Components
      • Supported Package Managers for dependency resolution
      • Risks (SCA)
      • OSS Prioritization Funnels
      • OSS Auto-Remediation
      • Malware Early Warning (MEW)
        • How Malware Early Warning works
        • Common types of Malware found in open source packages
      • Dependency Scanner
        • Dependency scanner configuration
        • Dependency Analyzers
      • Suspect Dependencies Scanner
        • Suspect Deps Scanner Configuration
        • Suspect Deps Detectors
    • CI/CD Security
      • CI/CD Security User Interface Guide
      • CI/CD Details
      • Build Attestations
      • CI/CD Scanner
        • CI/CD Misconfigurations Scanner Configuration
      • Compliance Scanner
        • Supported compliance standards
    • Secrets Security
      • Secrets User Interface Guide
      • Secrets Scanner
        • Secrets scanner configuration
      • Secret Leaks Handling
        • Secret Leaks Handling
        • How to Prevent Hard-Coded Secrets
        • Secret Leaks Handling CheatSheet
      • Secrets Auto-Remediation
    • IaC Security
      • IaC User Interface Guide
      • IaC Scanner
        • IaC Scanner Configuration
    • Malware
    • Build Security
      • Build Security Concepts
      • Build Attestations
      • Attestation format
      • How SALT works
      • Installing Salt CLI
      • Salt Command-Line Reference
      • SALT Architecture
      • SALT How To…​
    • Anomalous Activity Detection
      • Anomalous Activity Detection User Interface Guide
      • Xygeni Sensors
        • Xygeni Sensor for Azure
        • Xygeni Sensor for BitBucket
        • Xygeni Sensor for GitHub
          • GitHub Audit Log Processing
        • Xygeni Sensor for GitLab
        • Xygeni Sensor for Jenkins
        • Anomaly Detection's Detectors
      • Code Tampering Scanner
        • Code Tampering Scanner Configuration
    • Compliance & Malware Insights
      • SSCS Compliance
      • Malicious Packages DB
  • Scan Management
    • Manage Scans
      • Manage Scans FAQ
    • Scan History
  • Xygeni Scanner CLI
    • Xygeni Scanners
    • Xygeni CLI Overview
      • Xygeni CLI Prerequisites
      • Xygeni CLI Installation
      • Xygeni CLI Docker Image
      • Xygeni CLI Authentication
        • CLI Authentication with Xygeni
      • SCM, CI/ CD and Container Registry tokens
      • Xygeni CLI Operation Modes
        • Single scan
          • Scanning a docker image
        • Multi Scan
        • Organization scan
      • Xygeni CLI Configuration options
      • Xygeni CLI Output Formats
      • Exporting Xygeni results to 3rd party tools
      • Automatic Remediation
      • Generate SBOM with the Xygeni CLI
      • CLI utils
        • Credentials Encryption
        • Central Configuration
      • Xygeni Guardrails
        • CI/CD Audit Analysis
      • Xygeni CLI Error Codes
      • Xygeni Scanner Reference
  • Xygeni Administration
    • Platform Administration
      • Profile
      • Subscription
      • Users Management
      • Projects Management
      • Groups Management
      • Policies
      • Integrations
        • Xygeni Single Sign-On (SSO) Authentication
          • SSO - OKTA
          • SSO - Microsoft Entra ID
        • Integrate Scanner CLI into CI/CD Systems
          • Azure Pipelines Integration
          • BitBucket Integration
          • CircleCI Integration
          • GitHub Actions Integration
          • GitLab Runner Integration
          • Jenkins Integration
          • Travis CI Integration
        • Git Hooks with Xygeni
        • Collaboration & communication Tools
        • Ticketing Systems
        • Remediation systems
      • Notifications
    • Rest API
  • Support
  • Changelog
    • Version 5.11 - April 11, 2025
    • Version 5.9 – March 26, 2025
Powered by GitBook
On this page
  • xygeni scan --send-to
  • For integration into GitHub
  • For integration into GitLab
Export as PDF
  1. Xygeni Scanner CLI
  2. Xygeni CLI Overview

Exporting Xygeni results to 3rd party tools

PreviousXygeni CLI Output FormatsNextAutomatic Remediation

Last updated 7 months ago

xygeni scan --send-to

The --send-to=TARGET option exports the scanner results to the target system.

This could be combined with upload to the Xygeni platform if your organization prefers to manage the scan issues found in the target system, often a source code manager (SCM), or SOAR / SIEM platform.

The following supported values for TARGET could be used for integrating into different external tools.

For integration into GitHub

GitHub Alerts

github/alert, which uses the GitHub Code-Scanning API to upload the issues to GitHub Code Scanning. This needs Code Scanning support available, which happens with public repositories or private repositories with code scanning enabled (Enterprise edition only).

permissions:
  actions: read
  contents: read
  security-events: write

GitHub Status

github/status. which uses Commit Statuses to report the scan results. For a given commit, a status is a short checkpoint showing if the Xygeni scan passes or found important issues. A table with the issues is shown in a comment for the commit. This capability is available in all GitHub editions, even for private repositories.

Code Scanning alerts are more informative and actionable, but require Code Scanning, which is only available under certain circumstances. GitHub Commit Status is a simpler feature available generally.

For integration into GitLab

GitLab Alerts

The following is an example job that could be added to the GitLab .gitlab-ci

# This is a GitLab job invoking the scanner for secrets
# XYGENI_TOKEN must be a protected variable or a Vault secret
xygeni_call:
  stage: test
  allow_failure: true
  script:
    - >
      curl -L https://get.xygeni.io/latest/scanner/install.sh |
      /bin/bash -s -- -o -t $XYGENI_TOKEN
    - >
      $HOME/.xygeni/xygeni secrets -n "$PROJECT_NAME" --dir "$PROJECT_HOME"
      --send-to=gitlab/alerts
  artifacts:
    reports:
      # Key: Filename, see following table
      secret_detection: gl-xygeni-secrets-secret-detection.json

The following are the scan commands that support export to GitLab, with the values for the report key and filename to use in the artifacts:reports: section of the job definition:

Scan
Key
Filename

Secrets

secret_detection

gl-xygeni-secrets-secret-detection.json

Code Tampering

sast

gi-xygeni-codetamper-sast.json

Suspect dependencies

dependency_scanning

gl-xygeni-badcomponents-dependency-scanning.json

IaC flaws

sast

gi-xygeni-iac-sast.json

The Xygeni scanner findings are shown in different places in the GitLab UI, depending on the edition.

Examples:

xygeni secrets --dir PATH --upload --send-to=github/alert
xygeni scan --dir PATH --send-to=github/status --run=codetamper,suspectdeps,secrets,iac,compliance

Runs a partial scan of the specified kinds. The secret leaks found will be uploaded to Xygeni (the default) and to GitHub as Commit Status. You may add --no-upload to skip uploading to Xygeni.

See for details on how to configure the GitHub token needed for creating GitHub Code Scanning alerts. If you run the Xygeni Scanner using GitHub Actions, the token needs the security-events: write permission to create the alerts. You may use the following section in the GitHub workflow YAML:

GitLab provides a mechanism for . This mechanism consists in creating a CI job definition to invoke the scanner, which must generate a JSON file in the sources directory, in a format accepted by GitLab with a naming convention. The Xygeni scanner generates such file when possible (when the scan results are compatible with the vulnerabilities-based security findings in GitLab), using the --send-to=gitlab/alerts scanner option.

Runs a . The secret leaks found will be uploaded to Xygeni and to GitHub, so they will be seen in the GitHub’s Code Scanning alerts.

SCM and CI/ CD tokens
integrating findings from external security scanners
secrets scan