Exporting Xygeni results to 3rd party tools
xygeni scan --send-to
The --send-to=TARGET
option exports the scanner results to the target system.
This could be combined with upload to the Xygeni platform if your organization prefers to manage the scan issues found in the target system, often a source code manager (SCM), or SOAR / SIEM platform.
The following supported values for TARGET
could be used for integrating into different external tools.
For integration into GitHub
GitHub Alerts
github/alert
, which uses the GitHub Code-Scanning API to upload the issues to GitHub Code Scanning. This needs Code Scanning support available, which happens with public repositories or private repositories with code scanning enabled (Enterprise edition only).
See SCM and CI/ CD tokens for details on how to configure the GitHub token needed for creating GitHub Code Scanning alerts. If you run the Xygeni Scanner using GitHub Actions, the token needs the security-events: write
permission to create the alerts. You may use the following section in the GitHub workflow YAML:
GitHub Status
github/status
. which uses Commit Statuses to report the scan results. For a given commit, a status is a short checkpoint showing if the Xygeni scan passes or found important issues. A table with the issues is shown in a comment for the commit. This capability is available in all GitHub editions, even for private repositories.
Code Scanning alerts are more informative and actionable, but require Code Scanning, which is only available under certain circumstances. GitHub Commit Status is a simpler feature available generally.
For integration into GitLab
GitLab Alerts
GitLab provides a mechanism for integrating findings from external security scanners. This mechanism consists in creating a CI job definition to invoke the scanner, which must generate a JSON file in the sources directory, in a format accepted by GitLab with a naming convention. The Xygeni scanner generates such file when possible (when the scan results are compatible with the vulnerabilities-based security findings in GitLab), using the --send-to=gitlab/alerts
scanner option.
The following is an example job that could be added to the GitLab .gitlab-ci
The following are the scan commands that support export to GitLab, with the values for the report key and filename to use in the artifacts:reports:
section of the job definition:
The Xygeni scanner findings are shown in different places in the GitLab UI, depending on the edition.
Examples:
Runs a secrets scan. The secret leaks found will be uploaded to Xygeni and to GitHub, so they will be seen in the GitHub’s Code Scanning alerts.
Runs a partial scan of the specified kinds. The secret leaks found will be uploaded to Xygeni (the default) and to GitHub as Commit Status. You may add --no-upload
to skip uploading to Xygeni.
Last updated