Xygeni Scanner Reference

The Xygeni Scanner CLI supports the following commands:

Usage:

xygeni [-hqvV] [--token=<token>] [--url=<url>] 
       [-cop=key:value [-cop=key:value]...] [@<filename>...] 
       [COMMAND]

Parameters:
  @<filename>...          One or more argument files containing options.
  -v, --verbose           Verbose output?
  -q, --quiet             Quiet mode: do not generate output at console.
  -cop, --conf-option=key:value
                          Configuration properties for the scan.
  -h, --help              Show this help message and exit.
  -V, --version           Print version information and exit.

Xygeni credentials - clear-text or encrypted, env:VAR, file:PATH
They override the corresponding values in xygeni.yml configuration.
      --url=<url>         Xygeni api URL
      --token=<token>     Access token.

Commands:
  scan                 Runs all analyses available.
  multi-scan           Runs scans on multiple subdirectories (modules).
  org-scan             Discovers, and even scans, the organization repositories.
  inventory            Discover SDLC assets for project.
  deps, scan-deps      Scan software project for dependencies and SBOM generation.
  suspectdeps          Detect suspect dependencies in project.
  compliance           Check compliance with supply-chain standards.
  codetamper           Detect potential code tampering.
  secrets              Detect hard-coded secrets in project.
  misconf              Detect misconfigurations in project.
  iac                  Detect security flaws in IaC template files.
  malware              Detect malware evidences.
  report-upload        Converts and uploads an external tool or xygeni report into Xygeni platform.
  util                 Utilities for configuration.
  generate-completion  Generate bash/zsh completion script for xygeni.

Configuration options

Each scan has configuration options that are by default available in files named xygeni.yml and xygeni.<command>.yml in the scanner's conf directory. Each file is a YAML document that could be edited and uploaded to the Xygeni platform for reuse.

The -cop|--conf-option are global options that go before the command, each for given a value to a configuration property:xygeni -cop | --conf-option key:value -cop | --conf-option key2:value ... <command> ... (quotes surrounding key:value are optional, depending on shell metacharacters that can appear in key:value)

keyis the name of the configuration property, and value is the value to be assigned. For nested properties separate the parts with '/'.

Examples:

# Disable commit resolution
xygeni -cop 'commitResolution:never' scan ...
# Set parallel mode with two threads
xygeni -cop 'mode:parallel' -cop 'parallelism:2' secrets ...
# Disable timeout
xygeni -cop 'timeout:0' secrets ...

# More complex cases (using long or short option names):
xygeni --config-option "report[format=text]/sort: exposure" \
  --config-option "report[format=text]/borders: none" \
  --config-option "parallelism: min(availableProcessors - 1, 4)" \
  scan ...
  
# Imagine that the user has this environment var instead of the expected JENKINS_URL
xygeni -cop "cicd[kind=jenkins]/url: ${MY_JENKINS_URL}" misconf ...

Follow our Central Configuration for instructions on how to handle central configuration.

Note that many configuration options are passed through environment variables or local files in CI/CD pipelines, and for sporadic changes it may be easier to specify a few options with --conf-option, possibly storing command line options in an @argument file which could be under version control, etc.) This could be convenient when many configuration properties need to be overridden for scanning a particular project.

Last updated