# Single scan

{% hint style="warning" %}
It’s important to ensure that the **JAVA\_HOME** environment variable points to the directory where Java is installed, which may or may not be done automatically depending on your platform. Additionally, you need to make sure that the $JAVA\_HOME/bin directory is included in your system’s PATH so that you can access the Java executable from anywhere on your system. Please see [Xygeni CLI Prerequisites](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/xygeni-cli-prerequisites) for further info.
{% endhint %}

The command `xygeni scan` is a wrapper to run all the **different types of scanners**. Therefore, when `xygeni scan` is executed, by default *ALL the available scanners are silently executed*. See [Xygeni Scanners](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-scanners) for a full description of available scanners.

{% hint style="info" %}
**Every available Scanner can be executed alone** (`xygeni secrets`, `xygeni deps`, etc) and has its **own parameters**.

`xygeni scan` allows to specify the most important parameters to every specific scanner, but not all. Therefore, if you want to specify a certain scanner parameter not supported by xygeni scan you should invoke the specific scanner.
{% endhint %}

Nevertheless, `xygeni scan` allows you **to select which scanners** to execute using ***`--run`** parameter.*

If you want, for example, to run only deps and secrets you could execute:

```
xygeni scan --run="deps,secrets" 
```

Similarly, if you want to run **all the scanner except** deps and secrets you could use **`--skip`** parameter to avoid running them:

```
xygeni scan --skip="deps,secrets" 
```

`xygeni scan` command analyzes the [input specified](#xygeni-scan-inputs) (a directory, a source repository or a container image), generates an [output](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/xygeni-cli-output-formats) with the results, and [exports or uploads](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/exporting-xygeni-results-to-3rd-party-tools) the results to the Xygeni platform for consolidation and central access.

## Results upload

Depending if you specify scan or any specific scanner, the results uploading to the Xygeni servers works differently.

* When using `scan`, the results are automatically **uploaded** to Xygeni servers.
* When using any specific scanner (`secrets`, `deps`, etc), the results are **NOT uploaded** to Xygeni servers.

{% hint style="info" %}
You can use the **`--upload`** and **`--no-upload`** to change the default results upload behavior
{% endhint %}

## AI Triage during a scan

Pass the `--triage` flag to a scan command to run [AI Triage](https://docs.xygeni.io/xygeni-administration/platform-administration/projects-management/ai-triage) automatically once the scan finishes. The scan runs as usual, and the resulting issues are sent to the AI Triage engine; the triage results are uploaded to a dedicated triage endpoint and become available in the issue slide-out and as tags on the affected issues.

`--triage` is supported on:

* `xygeni scan`
* `xygeni sast`
* `xygeni iac`
* `xygeni secrets`

```bash
xygeni sast -d <dir> --triage [rest of flags ...]
```

{% hint style="info" %}
Triage results are **not** included in the report zip uploaded by the scan — they are uploaded to a dedicated triage endpoint.
{% endhint %}

For on-demand triage of an existing report, see [`util ai-triage`](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/cli-utils/ai-triage).

## Scan inputs

`xygeni scan` command allows to scan the following types of inputs (or objects to be scanned):

* [Directory](#directory-scan)
* [Repository](#repository-scan)
* [Container Image](#container-image-scan)

### Directory Scan

Pass the directory for the sources to analyze in the `-d` or `--dir` option. Defaults to the current working directory. To specify comma-separated patterns for files to include / exclude in the scan, use the `-i|--include` and `-e|--exclude` options, respectively.

#### Exclusions / Inclusions

Commands `--include` and `--exclude` allows you to include/exclude directories/files

```
// Some code
Input files options:
  -d, --dir=<directory>      The directory to analyze (default: current
                               directory).
  -i, --include=<includePatterns>
                             Include patterns, comma-separated (optional).
  -e, --exclude=<excludePatterns>
                             Exclude patterns, comma-separated (optional).
                             Use * as file wildcard, and ** for any file / directory at any depth.
                             Example: -e '**/test/**,**/build/*.o'
      --no-stdin             Force to not read filenames from standard in
```

You can pipe a list of filenames to the secret scanner and the scanner will process only the piped list. If you want to avoid this behavior (i.e. not reading piped filenames), you can use `--no-stdin` option.

### Repository Scan

Pass either the repository URL or scm:owner/name shortcut in the `-repo` or `--repository` option. The repository will be cloned into a temporary directory that will be scanned, so include/exclude patterns also work. The HEAD branch will be used by default; use `--repo-branch` SHA\_or\_branch with the SHA digest of a commit or the name of the repository branch to clone.

### Container Image Scan

* **Container Image Scan**

  Use `--image` to pass the image name, including the registry host, the namespace and the repository, plus tag or the image SHA digest.

  Please note that not all scan commands are available for image scanning.

If none of --dir, --repository or --image is provided, the **default is** `--dir` with the current directory as default.

{% hint style="info" %}
Please visit [Scanning a docker image](https://docs.xygeni.io/xygeni-scanner-cli/xygeni-cli-overview/xygeni-cli-operation-modes/single-scan/scanning-a-docker-image) for further information
{% endhint %}

#### Scanners for Docker images

{% hint style="info" %}
Please note that **not all scanners are available for image scanning**. See table below
{% endhint %}

<table><thead><tr><th>Command</th><th>Images?</th><th data-hidden>Description</th></tr></thead><tbody><tr><td><a href="../../../xygeni-products/application-security-posture-management-aspm/inventory-scanner">inventory</a></td><td>X</td><td>Discover SDLC assets for project.</td></tr><tr><td><a href="../../../xygeni-products/open-source-security-oss/dependency-scanner">deps, scan-deps</a></td><td>X</td><td>Scan software project for dependencies and SBOM generation.</td></tr><tr><td><a href="../../../xygeni-products/open-source-security-oss/suspect-dependencies-scanner">suspectdeps</a></td><td></td><td>Detect suspect dependencies in project.</td></tr><tr><td><a href="../../../xygeni-products/compliance/compliance-scanner">compliance</a></td><td></td><td>Check compliance with supply-chain standards.</td></tr><tr><td><a href="../../../xygeni-products/anomaly-detection/code-tampering-scanner">codetamper</a></td><td></td><td>Detect potential code tampering.</td></tr><tr><td><a href="../../../xygeni-products/secrets-security/secrets-scanner">secrets</a></td><td>X</td><td>Detect hard-coded secrets in project.</td></tr><tr><td><a href="../../../xygeni-products/software-supply-chain-security-sscs/ci-cd-scanner">misconf</a></td><td>X</td><td>Detect misconfigurations in project.</td></tr><tr><td><a href="../../../xygeni-products/iac-security/iac-scanner/iac-scanner-configuration">iac</a></td><td></td><td>Detect security flaws in IaC template files.</td></tr><tr><td><a href="../../../xygeni-products/code-security-cs/malware-scanner">malware</a></td><td></td><td>Detect malware evidences.</td></tr></tbody></table>