Single scan
xygeni scan
xygeni scanIt’s important to ensure that the JAVA_HOME environment variable points to the directory where Java is installed, which may or may not be done automatically depending on your platform. Additionally, you need to make sure that the $JAVA_HOME/bin directory is included in your system’s PATH so that you can access the Java executable from anywhere on your system. Please see Xygeni CLI Prerequisites for further info.
The command xygeni scan is a wrapper to run all the different types of scanners. Therefore, when xygeni scan is executed, by default ALL the available scanners are silently executed. See Xygeni Scanners for a full description of available scanners.
Every available Scanner can be executed alone (xygeni secrets, xygeni deps, etc) and has its own parameters.
xygeni scan allows to specify the most important parameters to every specific scanner, but not all. Therefore, if you want to specify a certain scanner parameter not supported by xygeni scan you should invoke the specific scanner.
Nevertheless, xygeni scan allows to select which scanners to execute using --run parameter.
If you want, for example, to run only deps and secrets you could execute:
Similarly, if you want to run all the scanner except deps and secrets you could use --skip parameter to avoid running them:
xygeni scan command analyzes the input specified (a directory, a source repository or a container image), generates an output with the results, and exports or uploads the results to the Xygeni platform for consolidation and central access.
Results upload
Depending if you specify scan or any specific scanner, the results uploading to the Xygeni servers works differently.
When using
scan, the results are automatically uploaded to Xygeni servers.When using any specific scanner (
secrets,deps, etc), the results are NOT uploaded to Xygeni servers.
You can use the --upload and --no-upload to change the default results upload behavior
Scan inputs
xygeni scan command allows to scan the following types of inputs (or objects to be scanned):
Directory Scan
Pass the directory for the sources to analyze in the -d or --dir option. Defaults to the current working directory. To specify comma-separated patterns for files to include / exclude in the scan, use the -i|--include and -e|--exclude options, respectively.
Exclusions / Inclusions
Commands --include and --exclude allows you to include/exclude directories/files
You can pipe a list of filenames to the secret scanner and the scanner will process only the piped list. If you want to avoid this behavior (i.e. not reading piped filenames), you can use --no-stdin option.
Repository Scan
Pass either the repository URL or scm:owner/name shortcut in the -repo or --repository option. The repository will be cloned into a temporary directory that will be scanned, so include/exclude patterns also work. The HEAD branch will be used by default; use --repo-branch SHA_or_branch with the SHA digest of a commit or the name of the repository branch to clone.
Container Image Scan
Container Image Scan
Use
--imageto pass the image name, including the registry host, the namespace and the repository, plus tag or the image SHA digest.Please note that not all scan commands are available for image scanning.
If none of --dir, --repository or --image is provided, the default is --dir with the current directory as default.
Please visit Scanning a docker image for further information
Scanners for Docker images
Please note that not all scanners are available for image scanning. See table below
Last updated