Xygeni User Guides
  • Welcome to Xygeni
  • Getting Started
    • Create a Free Trial Account
    • Quick start with your code repository
    • Quick start with Xygeni CLI
    • Quick start with a preloaded project
    • Log in to Xygeni
    • Subscribe to Xygeni
  • Introduction to Xygeni
    • Key Concepts
      • Projects in Xygeni
      • Project Baseline
      • Detected Issues
      • Remediation Actions
      • Policies
      • Risk Level
      • SDLC Inventory
      • Standards Compliance
      • GuardRails
    • Xygeni Products
    • How Xygeni works
    • Xygeni Web UI Overview
      • Projects Screen
        • Risk Level
    • Integrating Xygeni into your Workflow
    • Prioritization Funnels
      • Custom Funnels
      • Prioritization Criteria (Stages)
        • Reachability
        • Exploitability
        • Fixable
    • Guardrails
    • Generate a SBOM
    • Reports
      • Trends
      • Scan History
    • Supported Integrations
    • Customizations
  • Xygeni Products
    • Application Security Posture Management (ASPM)
      • ASPM User Interface Guide
      • All Risks
        • Statistics
        • Issues Evolution
        • Issue Comparison Between Different Scans
      • Governance
      • Inventory
        • All Assets
        • Repositories
        • Components
        • CI/CD Assets
        • Delivery Assets
        • Systems & Tools
        • Collaborators
      • Health Check
      • Inventory Scanner
        • Inventory Scanner Configuration
        • Inventory Collaborators Scan
      • Importing reports from 3rd party tools
        • External Scanners Supported
          • Report upload for Kiuwan
            • ExportRule (.java)
    • Code Security (SAST)
      • Code Security (SAST) User Interface Guide
        • Risks (SAST)
        • Malicious Code
      • Malware Scanner
        • Malware Scanner Configuration
        • Malware Detectors
      • SAST Scanner
        • SAST Scanner Configuration
    • Open Source (SCA)
      • Open Source (SCA) User Interface Guide
      • Open Source Components
      • Supported Package Managers for dependency resolution
      • Risks (SCA)
      • OSS Prioritization Funnels
      • OSS Auto-Remediation
      • Malware Early Warning (MEW)
        • How Malware Early Warning works
        • Common types of Malware found in open source packages
      • Dependency Scanner
        • Dependency scanner configuration
        • Dependency Analyzers
      • Suspect Dependencies Scanner
        • Suspect Deps Scanner Configuration
        • Suspect Deps Detectors
    • CI/CD Security
      • CI/CD Security User Interface Guide
      • CI/CD Details
      • Build Attestations
      • CI/CD Scanner
        • CI/CD Misconfigurations Scanner Configuration
      • Compliance Scanner
        • Supported compliance standards
    • Secrets Security
      • Secrets User Interface Guide
      • Secrets Scanner
        • Secrets scanner configuration
      • Secret Leaks Handling
        • Secret Leaks Handling
        • How to Prevent Hard-Coded Secrets
        • Secret Leaks Handling CheatSheet
      • Secrets Auto-Remediation
    • IaC Security
      • IaC User Interface Guide
      • IaC Scanner
        • IaC Scanner Configuration
    • Malware
    • Build Security
      • Build Security Concepts
      • Build Attestations
      • Attestation format
      • How SALT works
      • Installing Salt CLI
      • Salt Command-Line Reference
      • SALT Architecture
      • SALT How To…​
    • Anomalous Activity Detection
      • Anomalous Activity Detection User Interface Guide
      • Xygeni Sensors
        • Xygeni Sensor for Azure
        • Xygeni Sensor for BitBucket
        • Xygeni Sensor for GitHub
          • GitHub Audit Log Processing
        • Xygeni Sensor for GitLab
        • Xygeni Sensor for Jenkins
        • Anomaly Detection's Detectors
      • Code Tampering Scanner
        • Code Tampering Scanner Configuration
    • Compliance & Malware Insights
      • SSCS Compliance
      • Malicious Packages DB
  • Scan Management
    • Manage Scans
    • Scan History
  • Xygeni Scanner CLI
    • Xygeni Scanners
    • Xygeni CLI Overview
      • Xygeni CLI Prerequisites
      • Xygeni CLI Installation
      • Xygeni CLI Docker Image
      • Xygeni CLI Authentication
        • CLI Authentication with Xygeni
      • SCM, CI/ CD and Container Registry tokens
      • Xygeni CLI Operation Modes
        • Single scan
          • Scanning a docker image
        • Multi Scan
        • Organization scan
      • Xygeni CLI Configuration options
      • Xygeni CLI Output Formats
      • Exporting Xygeni results to 3rd party tools
      • Automatic Remediation
      • Generate SBOM with the Xygeni CLI
      • CLI utils
        • Credentials Encryption
        • Central Configuration
      • Xygeni Guardrails
        • CI/CD Audit Analysis
      • Xygeni CLI Error Codes
      • Xygeni Scanner Reference
  • Xygeni Administration
    • Platform Administration
      • Profile
      • Subscription
      • Users Management
      • Projects Management
      • Groups Management
      • Policies
      • Integrations
        • Xygeni Single Sign-On (SSO) Authentication
          • SSO - OKTA
          • SSO - Microsoft Entra ID
        • Integrate Scanner CLI into CI/CD Systems
          • Azure Pipelines Integration
          • BitBucket Integration
          • CircleCI Integration
          • GitHub Actions Integration
          • GitLab Runner Integration
          • Jenkins Integration
          • Travis CI Integration
        • Git Hooks with Xygeni
        • Collaboration & communication Tools
        • Ticketing Systems
        • Remediation systems
      • Notifications
    • Rest API
  • Support
  • Changelog
    • Version 5.11 - April 11, 2025
    • Version 5.9 – March 26, 2025
Powered by GitBook
On this page
  • Guardrails at Server Side
  • Xygeni Guardrail Command
  • Configuring a CI/CD Audit Guardrail
Export as PDF
  1. Xygeni Scanner CLI
  2. Xygeni CLI Overview
  3. Xygeni Guardrails

CI/CD Audit Analysis

PreviousXygeni GuardrailsNextXygeni CLI Error Codes

Last updated 5 days ago

Xygeni scanner provides a command to check for the results of project analysis uploaded to Xygeni server, by generating an audit output that indicates if the software is ready to be deployed to production without vulnerabilities.

Guardrails normally operate at the scanner’s side, often to break the build when certain issues are found. The scan can be configured even on a pre-commit hook for example to avoid leaking a secret.

But certain issues, for example vulnerabilities in open-source dependencies, need to be processed server-side for context. In that case it is possible to upload and register a guardrail to run server-side over the results uploaded by the scanner.

Such server-side guardrail (CI/CD Audit) could be linked with projects, so when the scan results are uploaded the guardrail is executed and the scanner can query for the audit results for deciding if the build can progress or not.

Result of audit guardrail are represented with an icon (green/red) in the project page:

Guardrails at Server Side

Guardrails at the server side (Audit Analysis) can be managed from the Xygeni Scanner command util guardrail.

By uploading guardrails files to Xygeni server, guardrails can be associated with projects using project filter expressions.

The EDIT_POLICIES permission should be granted to the Xygeni API token for running this command.

Xygeni Guardrail Command

Usage: xygeni util guardrail

Server side Operations:
    -g, --get                Download a guardrail (by name).
    -l, --list               List available guardrails.
    -u, --upload             Upload a guardrail.
    -r, --remove             Remove a guardrail.
    -e                       Enable a guardrail.
    -d                       Disable a guardrail.
        --associate-filter=<associateProjects>
        Associate projects to guardrail by filter. Use '*' as a wildcard and '|' as or operator.
        --associate-remove   Remove associate project filter for guardrail.
        --associate-list     List associated projects to guardrail.
        --audit-project, --validate-project=<auditProjectByName>
                           Retrieve server-side guardrails compliance audit for the specified project. Blocks until analysis completion and returns the guardrail exit code (or 0 if guardrails weren't triggered).
        --audit-timeout, --validate-timeout=<auditTimeout>
                            Maximum time in seconds to wait for server-side analysis completion (default: 120).

    Parameters:
    -n, --name=<name>        Guardrail name.
    -f, --file=<file>        Guardrail file (for upload).
    --override           Override when uploading if exists.

    Commands:
    check  Validate a guardrail against a report file.

Configuring a CI/CD Audit Guardrail

The following steps may be followed for setting a CI/CD Audit Guardrail:

1. Create and test the guardrail. Create a file with a sample guardrail file that , for example, will fail if a critical secret is detected. For example, secrets-policy.xyflow:

  guardrail secrets-policy
      on secrets
      when severity = critical
      then @fail()

2. Test the guardrail locally. You may test the guardrail before upload, by running a scan with --fail-on option passing the .xyflow file. For example:

xygeni secrets --name ... --dir ... \
  --fail-on 'file:secrets-policy.xyflow'

Alternatively, you may use a JSON report from a previous scan, and run the command in 'sandbox' mode with actions in 'dry-run':

xygeni util guardrail check --verbose \
  --guardrail 'file:secrets-policy.xyflow' \
  --report xygeni_secrets_report.json

This command provides a way to check guardrail syntax, expression filtering over report items and action calls without effectively executing the actions.

Valid guardrail syntax and total items matched are logged to the console; additionally, each item matched and action calls are logged also if --verbose is enabled.

3. Upload the guardrail file to Xygeni server:

xygeni util guardrail --upload \
       --file secrets-policy.xyflow \
       --name secrets-policy

4. Associate the guardrail to projects using a filter:

  xygeni util guardrail \
    --name secrets-policy \
    --associate-filter "front*|backend*"

5. Get the list of guardrails with their associate project filters:

  xygeni util guardrail  --associate-list
    ┌──────────────────┬─────────┬─────────────────┐
    │       name       │ enabled │  projectFilter  │
    ├──────────────────┼─────────┼─────────────────┤
    │  secrets-policy  │  true   │ front*|backend* │
    └──────────────────┴─────────┴─────────────────┘

Once the guardrail is registered and mapped to projects, any scan in a pipeline for a matching project will run the audit automatically. To let the pipeline know the result of the audit, the `util guardrail --validate `

6. Check the result of CI/CD Audit from Xygeni server after analysis is executed locally:

  xygeni util guardrail --audit-project <project-name>

This command will block until analysis completion and return the guardrail exit code (or 0 if guardrails weren't triggered), or the `--audit-timeout` is reached.

Use the `--audit-timeout` option to set the maximum time in seconds to wait for server-side analysis completion (default: 120).

Read for more details on the syntax.

Guardrail Specification