Multi Scan

PreviousScanning a docker image NextOrganization scan

Last updated 28 days ago

Multi Scan

xygeni multi-scan command

It’s important to ensure that the JAVA_HOME environment variable points to the directory where Java is installed, which may or may not be done automatically depending on your platform. Additionally, you need to make sure that the $JAVA_HOME/bin directory is included in your system’s PATH so that you can access the Java executable from anywhere on your system. Please see for further info.

It is usual to have a software split into multiple modules under different directories, possible under different git repositories (when following a polyrepo architecture), or in a single repository (when all pieces for a software are stored in the same repository, or in a monorepo architecture).

You may run separate xygeni scan commands for each module, which gives flexibility as every command option can be tailored, and good performance as the scan for each module can run only the appropriate stages -for example, running iac stage only when IaC templates exist.

Sometimes the directories comprising the software are not known in advance. Or there is a common software layout, where a module is split into three separate repos. For example, one repo with the source code, another repo with the build and deploy scripts, and another repo with the IaC templates for provisioning of resources in the cloud.

For such situations the multi-scan command could be useful.

xygeni multi-scan [options]

The different directories to scan can be either discovered

Discovery options:
      --discover             Discover paths under -d | --dir (default: false).
      -dp, --discover-pattern=<discoveryPattern>
                             Regex for paths relative to -d | --dir to be processed.
                             Example: -dp ^micros/AGI_.*|^deploy/AGI_.*|^fe/AGI_.*
      --child-only           Consider only child subdirectories under --dir (default: false)
      --path[=<paths>...]    Path(s) to scan, relative to --dir. Could be specified multiple times.

or specified

      --path[=<paths>...]    Path(s) to scan, relative to --dir. Could be specified multiple times.

In any case, matched paths may be restricted to be roots of git directories using the --git-only option.

      --git-only             Consider only directories that are roots of git repositories (default:
                               false)

Discovery and explicit paths can be combined when the software layout has a set of fixed directories (specified via --path options).You may pass absolute paths in the --path option, otherwise the path is resolved from the --dir option.

The project name given to each matched path could be configured in the -n | --name option

Map to Xygeni projects

If nothing is specified, xygeni multi-scan will create as many projects in xygeni as different directories/repos are matched.

By default, the name of those projects will be the git repository name, but using explicit paths you can provide a custom Xygeni project name .

$ xygeni -q multi-scan --dir $WORKSPACE --git-only
    --path MyOrg/MyApp/code -n MyOrg/MyApp/code:MyApp-Source \
    --path MyOrg/MyApp/build -n MyOrg/MyApp/code:MyApp-Build \
    --path MyOrg/MyApp/deploy -n MyOrg/MyApp/code:MyApp-Infra \
    --run inventory,secrets,iac,codetamper \
    -e '**/test/**,build/**' -f none

XXXXXXXXXXXXXXXXX

PRODUCT UNIT

XXXXXXXXXXXXXXXXXXXX

--dry-run

The --dry-run option shows the matched paths and the scan commands for each matched path without running the scans, so you may write the commands in a CI/CD pipeline.

Examples:

Use --dry-run to check the matched projects and scan command syntax before running it:

# Imagine a project layout with software in separated "application" directories,
# and three repos underneath, one for source code, another for build and deploy,
# and another with deploy playbooks / IaC templates:

$ xygeni -q multi-scan --dir . \
  --discover -dp '^MyOrg/MyApp/' --git-only --dry-run \
  --run inventory,secrets,iac,codetamper \
  -e '**/test/**,build/**' -f none

xygeni scan -n "myorg/MyApp-code" -d MyOrg/MyApp/code -e "**/test/**,build/**" \
    --run=inventory,secrets,iac,codetamper -f none
xygeni scan -n "myorg/MyApp-build" -d MyOrg/MyApp/build -e "**/test/**,build/**" \
    --run=inventory,secrets,iac,codetamper -f none
xygeni scan -n "myorg/MyApp-deploy" -d MyOrg/MyApp/deploy -e "**/test/**,build/**" \
    --run=inventory,secrets,iac,codetamper -f none

After checking that everything is resolved OK, you may remove the --dry-run option to actually run the scans.

PreviousScanning a docker image NextOrganization scan

Last updated 28 days ago

xygeni multi-scan command

For such situations the multi-scan command could be useful.

xygeni multi-scan [options]

The different directories to scan can be either discovered

Discovery options:
      --discover             Discover paths under -d | --dir (default: false).
      -dp, --discover-pattern=<discoveryPattern>
                             Regex for paths relative to -d | --dir to be processed.
                             Example: -dp ^micros/AGI_.*|^deploy/AGI_.*|^fe/AGI_.*
      --child-only           Consider only child subdirectories under --dir (default: false)
      --path[=<paths>...]    Path(s) to scan, relative to --dir. Could be specified multiple times.

or specified

      --path[=<paths>...]    Path(s) to scan, relative to --dir. Could be specified multiple times.

In any case, matched paths may be restricted to be roots of git directories using the --git-only option.

      --git-only             Consider only directories that are roots of git repositories (default:
                               false)

The project name given to each matched path could be configured in the -n | --name option

Map to Xygeni projects

If nothing is specified, xygeni multi-scan will create as many projects in xygeni as different directories/repos are matched.

By default, the name of those projects will be the git repository name, but using explicit paths you can provide a custom Xygeni project name .

$ xygeni -q multi-scan --dir $WORKSPACE --git-only
    --path MyOrg/MyApp/code -n MyOrg/MyApp/code:MyApp-Source \
    --path MyOrg/MyApp/build -n MyOrg/MyApp/code:MyApp-Build \
    --path MyOrg/MyApp/deploy -n MyOrg/MyApp/code:MyApp-Infra \
    --run inventory,secrets,iac,codetamper \
    -e '**/test/**,build/**' -f none

XXXXXXXXXXXXXXXXX

PRODUCT UNIT

XXXXXXXXXXXXXXXXXXXX

--dry-run

The --dry-run option shows the matched paths and the scan commands for each matched path without running the scans, so you may write the commands in a CI/CD pipeline.

Examples:

Use --dry-run to check the matched projects and scan command syntax before running it:

# Imagine a project layout with software in separated "application" directories,
# and three repos underneath, one for source code, another for build and deploy,
# and another with deploy playbooks / IaC templates:

$ xygeni -q multi-scan --dir . \
  --discover -dp '^MyOrg/MyApp/' --git-only --dry-run \
  --run inventory,secrets,iac,codetamper \
  -e '**/test/**,build/**' -f none

xygeni scan -n "myorg/MyApp-code" -d MyOrg/MyApp/code -e "**/test/**,build/**" \
    --run=inventory,secrets,iac,codetamper -f none
xygeni scan -n "myorg/MyApp-build" -d MyOrg/MyApp/build -e "**/test/**,build/**" \
    --run=inventory,secrets,iac,codetamper -f none
xygeni scan -n "myorg/MyApp-deploy" -d MyOrg/MyApp/deploy -e "**/test/**,build/**" \
    --run=inventory,secrets,iac,codetamper -f none

After checking that everything is resolved OK, you may remove the --dry-run option to actually run the scans.