Exporting Xygeni results to 3rd party tools

xygeni scan --send-to

The --send-to=TARGET option exports the scanner results to the target system.

This could be combined with upload to the Xygeni platform if your organization prefers to manage the scan issues found in the target system, often a source code manager (SCM), or SOAR / SIEM platform.

The following supported values for TARGET could be used for integrating into different external tools.

For integration into GitHub

GitHub Alerts

github/alert, which uses the GitHub Code-Scanning API to upload the issues to GitHub Code Scanning. This needs Code Scanning support available, which happens with public repositories or private repositories with code scanning enabled (Enterprise edition only).

See SCM and CI/ CD tokens for details on how to configure the GitHub token needed for creating GitHub Code Scanning alerts. If you run the Xygeni Scanner using GitHub Actions, the token needs the security-events: write permission to create the alerts. You may use the following section in the GitHub workflow YAML:

permissions:
  actions: read
  contents: read
  security-events: write

GitHub Status

github/status. which uses Commit Statuses to report the scan results. For a given commit, a status is a short checkpoint showing if the Xygeni scan passes or found important issues. A table with the issues is shown in a comment for the commit. This capability is available in all GitHub editions, even for private repositories.

Code Scanning alerts are more informative and actionable, but require Code Scanning, which is only available under certain circumstances. GitHub Commit Status is a simpler feature available generally.

For integration into GitLab

GitLab Alerts

GitLab provides a mechanism for integrating findings from external security scanners. This mechanism consists in creating a CI job definition to invoke the scanner, which must generate a JSON file in the sources directory, in a format accepted by GitLab with a naming convention. The Xygeni scanner generates such file when possible (when the scan results are compatible with the vulnerabilities-based security findings in GitLab), using the --send-to=gitlab/alerts scanner option.

The following is an example job that could be added to the GitLab .gitlab-ci

# This is a GitLab job invoking the scanner for secrets
# XYGENI_TOKEN must be a protected variable or a Vault secret
xygeni_call:
  stage: test
  allow_failure: true
  script:
    - >
      curl -L https://get.xygeni.io/latest/scanner/install.sh |
      /bin/bash -s -- -o -t $XYGENI_TOKEN
    - >
      $HOME/.xygeni/xygeni secrets -n "$PROJECT_NAME" --dir "$PROJECT_HOME"
      --send-to=gitlab/alerts
  artifacts:
    reports:
      # Key: Filename, see following table
      secret_detection: gl-xygeni-secrets-secret-detection.json

The following are the scan commands that support export to GitLab, with the values for the report key and filename to use in the artifacts:reports: section of the job definition:

The Xygeni scanner findings are shown in different places in the GitLab UI, depending on the edition.

Examples:

xygeni secrets --dir PATH --upload --send-to=github/alert

Runs a secrets scan. The secret leaks found will be uploaded to Xygeni and to GitHub, so they will be seen in the GitHub’s Code Scanning alerts.

xygeni scan --dir PATH --send-to=github/status --run=codetamper,suspectdeps,secrets,iac,compliance

Runs a partial scan of the specified kinds. The secret leaks found will be uploaded to Xygeni (the default) and to GitHub as Commit Status. You may add --no-upload to skip uploading to Xygeni.

Last updated