Single scan

The command xygeni scan is a wrapper to run all the different types of scanners. Therefore, when xygeni scan is executed, by default ALL the available scanners are silently executed. See for a full description of available scanners.

Nevertheless, xygeni scan allows you to select which scanners to execute using --run parameter.

If you want, for example, to run only deps and secrets you could execute:

xygeni scan --run="deps,secrets" 

Similarly, if you want to run all the scanner except deps and secrets you could use --skip parameter to avoid running them:

xygeni scan --skip="deps,secrets" 

xygeni scan command analyzes the (a directory, a source repository or a container image), generates an with the results, and the results to the Xygeni platform for consolidation and central access.

Results upload

Depending if you specify scan or any specific scanner, the results uploading to the Xygeni servers works differently.

• When using scan, the results are automatically uploaded to Xygeni servers.

• When using any specific scanner (secrets, deps, etc), the results are NOT uploaded to Xygeni servers.

Scan inputs

xygeni scan command allows to scan the following types of inputs (or objects to be scanned):

Directory Scan

Pass the directory for the sources to analyze in the -d or --dir option. Defaults to the current working directory. To specify comma-separated patterns for files to include / exclude in the scan, use the -i|--include and -e|--exclude options, respectively.

Exclusions / Inclusions

Commands --include and --exclude allows you to include/exclude directories/files

// Some code
Input files options:
  -d, --dir=<directory>      The directory to analyze (default: current
                               directory).
  -i, --include=<includePatterns>
                             Include patterns, comma-separated (optional).
  -e, --exclude=<excludePatterns>
                             Exclude patterns, comma-separated (optional).
                               Example: '**/test/**'
      --no-stdin             Force to not read filenames from standard in

You can pipe a list of filenames to the secret scanner and the scanner will process only the piped list. If you want to avoid this behavior (i.e. not reading piped filenames), you can use --no-stdin option.

Repository Scan

Pass either the repository URL or scm:owner/name shortcut in the -repo or --repository option. The repository will be cloned into a temporary directory that will be scanned, so include/exclude patterns also work. The HEAD branch will be used by default; use --repo-branch SHA_or_branch with the SHA digest of a commit or the name of the repository branch to clone.

Container Image Scan

• Container Image Scan

  Use --image to pass the image name, including the registry host, the namespace and the repository, plus tag or the image SHA digest.

  Please note that not all scan commands are available for image scanning.

If none of --dir, --repository or --image is provided, the default is --dir with the current directory as default.

Scanners for Docker images