Single scan

It’s important to ensure that the JAVA_HOME environment variable points to the directory where Java is installed, which may or may not be done automatically depending on your platform. Additionally, you need to make sure that the $JAVA_HOME/bin directory is included in your system’s PATH so that you can access the Java executable from anywhere on your system. Please see Xygeni CLI Prerequisites for further info.

The command xygeni scan is a wrapper to run all the different types of scanners. Therefore, when xygeni scan is executed, by default ALL the available scanners are silently executed. See Xygeni Scanners for a full description of available scanners.

Every available Scanner can be executed alone (xygeni secrets, xygeni deps, etc) and has its own parameters.

xygeni scan allows to specify the most important parameters to every specific scanner, but not all. Therefore, if you want to specify a certain scanner parameter not supported by xygeni scan you should invoke the specific scanner.

Nevertheless, xygeni scan allows you to select which scanners to execute using --run parameter.

If you want, for example, to run only deps and secrets you could execute:

xygeni scan --run="deps,secrets"

Similarly, if you want to run all the scanner except deps and secrets you could use --skip parameter to avoid running them:

xygeni scan --skip="deps,secrets"

xygeni scan command analyzes the input specified (a directory, a source repository or a container image), generates an output with the results, and exports or uploads the results to the Xygeni platform for consolidation and central access.

Results upload

Depending if you specify scan or any specific scanner, the results uploading to the Xygeni servers works differently.

When using scan, the results are automatically uploaded to Xygeni servers.
When using any specific scanner (secrets, deps, etc), the results are NOT uploaded to Xygeni servers.

You can use the --upload and --no-upload to change the default results upload behavior

Scan inputs

xygeni scan command allows to scan the following types of inputs (or objects to be scanned):

Directory Scan

Pass the directory for the sources to analyze in the -d or --dir option. Defaults to the current working directory. To specify comma-separated patterns for files to include / exclude in the scan, use the -i|--include and -e|--exclude options, respectively.

Exclusions / Inclusions

Commands --include and --exclude allows you to include/exclude directories/files

// Some code
Input files options:
  -d, --dir=<directory>      The directory to analyze (default: current
                               directory).
  -i, --include=<includePatterns>
                             Include patterns, comma-separated (optional).
  -e, --exclude=<excludePatterns>
                             Exclude patterns, comma-separated (optional).
                               Example: '**/test/**'
      --no-stdin             Force to not read filenames from standard in

You can pipe a list of filenames to the secret scanner and the scanner will process only the piped list. If you want to avoid this behavior (i.e. not reading piped filenames), you can use --no-stdin option.

Repository Scan

Pass either the repository URL or scm:owner/name shortcut in the -repo or --repository option. The repository will be cloned into a temporary directory that will be scanned, so include/exclude patterns also work. The HEAD branch will be used by default; use --repo-branch SHA_or_branch with the SHA digest of a commit or the name of the repository branch to clone.

Container Image Scan

Container Image Scan
Use --image to pass the image name, including the registry host, the namespace and the repository, plus tag or the image SHA digest.
Please note that not all scan commands are available for image scanning.

If none of --dir, --repository or --image is provided, the default is --dir with the current directory as default.

Please visit Scanning a docker image for further information

Scanners for Docker images

Please note that not all scanners are available for image scanning. See table below

Command

Images?

PreviousXygeni CLI Operation Modes NextScanning a docker image

Last updated 6 months ago