# Xygeni CLI Installation
Xygeni CLI can be used either installing it or by using Xygeni CLI Docker Image.
{% hint style="info" %}
This page specifies how to install CLI. Please visit [Xygeni CLI Docker Image](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/xygeni-cli-docker-image) if you prefer to use the CLI docker image.
{% endhint %}
### CLI Installation
{% hint style="info" %}
Please see [Xygeni CLI Prerequisites](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/xygeni-cli-prerequisites) before installing.
{% endhint %}
#### Install the Scanner
Xygeni provides bootstrap scripts (`get-xygeni.sh` for mac/Linux, `get-xygeni.ps1` for Windows) that download the scanner, verify its SHA-256 checksum, and install it in a single step.
{% tabs %}
{% tab title="mac/Linux" %}
**1. Download the bootstrap script**
```bash
curl -sSfLO https://get.xygeni.io/latest/scanner/get-xygeni.sh
```
**2. Review the script**
The script downloads the scanner, verifies its SHA-256 checksum (from a separate source on GitHub), and installs it. You can review its contents — it is intentionally kept short:
```shell
set -e
# Download helper: uses curl if available, falls back to wget
fetch() { curl -sSfL "$1" 2>/dev/null || wget -qO- "$1"; }
DIR="${1:-$HOME/.xygeni}"
# Check and exit if already installed
[ -x "$DIR/xygeni" ] && { echo "Xygeni scanner already installed in $DIR" >&2; exit 0; }
ZIP="$(mktemp).zip"
trap 'rm -f "$ZIP"' EXIT
# Download scanner and checksum
fetch https://get.xygeni.io/latest/scanner/xygeni_scanner.zip > "$ZIP"
EXPECT=$(fetch https://raw.githubusercontent.com/xygeni/xygeni/main/checksum/latest/xygeni-release.zip.sha256)
ACTUAL=$(sha256sum "$ZIP" 2>/dev/null || shasum -a 256 "$ZIP")
ACTUAL=$(echo "$ACTUAL" | awk '{print $1}')
# Verify checksum
[ "$EXPECT" = "$ACTUAL" ] || { echo "Checksum mismatch: expected $EXPECT, got $ACTUAL" >&2; exit 1; }
# Extract scanner: uses unzip if available, falls back to jar (Java is required for the scanner)
mkdir -p "$DIR"
unzip -qo "$ZIP" -d "$DIR" 2>/dev/null || (cd "$DIR" && jar xf "$ZIP")
mv "$DIR/xygeni_scanner"/* "$DIR/" && rmdir "$DIR/xygeni_scanner" # flatten nested dir
echo "Xygeni scanner installed in $DIR"
```
**3. Verify the script checksum**
```bash
h=$(curl -s https://raw.githubusercontent.com/xygeni/xygeni/main/checksum/latest/get-xygeni.sh.sha256)
echo "$h get-xygeni.sh" | sha256sum -c
```
{% hint style="warning" %}
On macOS, `sha256sum` may not be available. Replace `sha256sum -c` with `shasum -a 256 -c` in the command above.
{% endhint %}
If the checksum matches, you will see:
```
get-xygeni.sh: OK
```
If it does not match, you will see:
```
get-xygeni.sh: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match
```
{% hint style="danger" %}
If the checksum verification fails, do not run the script. Delete the downloaded file and try downloading it again. If the problem persists, contact [Xygeni support](https://xygeni.io/contact).
{% endhint %}
**4. Run the script**
```bash
# Default installs to ~/.xygeni, or pass a custom directory
sh get-xygeni.sh [install_dir]
```
{% endtab %}
{% tab title="Windows" %}
**1. Download the bootstrap script**
```powershell
Invoke-WebRequest https://get.xygeni.io/latest/scanner/get-xygeni.ps1 -OutFile get-xygeni.ps1
```
**2. Review the script**
The script downloads the scanner, verifies its SHA-256 checksum (from a separate source on GitHub), and installs it. You can review its contents:
```powershell
# Installation directory (default: $Home\.xygeni, or pass -Dir)
param([string]$Dir = "$Home\.xygeni")
$DownloadUrl = 'https://get.xygeni.io/latest/scanner/xygeni_scanner.zip'
$ChecksumUrl = 'https://raw.githubusercontent.com/xygeni/xygeni/main/checksum/latest/xygeni-release.zip.sha256'
$ErrorActionPreference = 'Stop'
# Check and exit if already installed
if (Test-Path (Join-Path $Dir 'xygeni.ps1')) { Write-Host "Xygeni scanner already installed in $Dir"; exit 0 }
$zip = [System.IO.Path]::GetTempFileName() + '.zip'
try {
# Download scanner and checksum
Invoke-WebRequest -URI $DownloadUrl -OutFile $zip -UseBasicParsing
$expect = (Invoke-WebRequest -URI $ChecksumUrl -UseBasicParsing).Content.Trim()
# Verify SHA256 checksum
$actual = (Get-FileHash -Path $zip -Algorithm SHA256).Hash.ToLower()
if ($expect -ne $actual) { throw "Checksum mismatch: expected $expect, got $actual" }
# Unzip scanner
New-Item -ItemType Directory -Force -Path $Dir | Out-Null
Expand-Archive -Force $zip -DestinationPath $Dir
Move-Item -Force (Join-Path (Join-Path $Dir 'xygeni_scanner') '*') $Dir # flatten nested dir
Remove-Item (Join-Path $Dir 'xygeni_scanner')
Write-Host "Xygeni scanner installed in $Dir"
} finally { Remove-Item -Force -ErrorAction SilentlyContinue $zip }
```
**3. Verify the script checksum**
```powershell
$h = (Invoke-WebRequest https://raw.githubusercontent.com/xygeni/xygeni/main/checksum/latest/get-xygeni.ps1.sha256 -UseBasicParsing).Content.Trim()
(Get-FileHash .\get-xygeni.ps1 -Algorithm SHA256).Hash -eq $h
```
If the checksum matches, the command returns:
```
True
```
If it does not match, the command returns:
```
False
```
{% hint style="danger" %}
If the checksum verification fails (`False`), do not run the script. Delete the downloaded file and try downloading it again. If the problem persists, contact [Xygeni support](https://xygeni.io/contact).
{% endhint %}
**4. Run the script**
```powershell
# Default installs to $Home\.xygeni, or pass -Dir
.\get-xygeni.ps1 [-Dir C:\path\to\install]
```
{% endtab %}
{% endtabs %}
{% hint style="info" %}
The script fetches the checksum from GitHub (`raw.githubusercontent.com/xygeni/xygeni`) while the scanner zip is downloaded from `get.xygeni.io` — an attacker would need to compromise both sites to bypass the integrity check.
{% endhint %}
### Fetch your Xygeni API token
{% hint style="info" %}
Active Xygeni account credentials are mandatory to run the script, so make sure you’ve signed up first! Visit [Create a Free Trial account](https://docs.xygeni.io/getting-started/create-a-free-trial-account) or [Log in to Xygeni](https://docs.xygeni.io/getting-started/log-in-to-xygeni)
{% endhint %}
Go your [profile pannel](https://in.xygeni.io/dashboard/configuration-panel/profile) and navigate to Organization/Personal Tokens:
Create a new token. The difference betweeen Organization tokens and Personal tokens is who can see and revoke those tokens. Select either one and generate a new token.
In order to run scans, the only permission that is needed is the "Upload scan results" permission. However, if you want to use the same token with the REST API, you’ll need to grant it additional permissions.
### Set XYGENI\_TOKEN environment variable
In order to run scans, a new environment variable must be set, the name of this variable must be "XYGENI\_TOKEN" and it content has to be the token that was created in the previous step.
{% tabs %}
{% tab title="mac/Linux" %}
```
nano ~/.bashrc
```
Add this line at the end of the file:
```
export XYGENI_TOKEN=""
```
Apply the changes:
```
source ~/.bashrc
```
{% endtab %}
{% tab title="Windows" %}
```
setx XYGENI_TOKEN ""
```
{% endtab %}
{% endtabs %}
{% hint style="info" %}
This will create the XYGENI\_TOKEN environment variable for the current user.
{% endhint %}
### (Recommended) Add the scanner folder to path
In order to execute the Xygeni application as another command, the scanner must be accessible from your shell.
{% hint style="info" %}
This step is optional but highly recommended to facilitate future scans.
{% endhint %}
{% tabs %}
{% tab title="mac/Linux" %}
**Option 1 — Symlink in `~/.local/bin`** (recommended, if `~/.local/bin` is already in PATH):
```bash
ln -s "$HOME/.xygeni/xygeni" "$HOME/.local/bin/xygeni"
```
**Option 2 — Shell alias** in `~/.bashrc` or `~/.zshrc`:
```bash
echo 'alias xygeni="$HOME/.xygeni/xygeni"' >> ~/.bashrc
source ~/.bashrc
```
**Option 3 — Add to PATH** (fallback):
```bash
echo 'export PATH="$PATH:$HOME/.xygeni"' >> ~/.bashrc
source ~/.bashrc
```
{% endtab %}
{% tab title="Windows" %}
```powershell
setx PATH "%PATH%;$Home\.xygeni"
```
{% endtab %}
{% endtabs %}
{% hint style="info" %}
This will modify the Current User Path.
{% endhint %}
### What’s next?
Congratulations, at this point you should have your installation successfully completed.
Now, let’s `run your first scan`. Move to your installation directory and execute the command:
```
cd ~/.xygeni
xygeni scan -n your_project_name --dir your_project_path
```
