# Xygeni Scanner Reference

The Xygeni Scanner CLI supports the following commands:

```
Usage:

xygeni [-hqvV] [--token=<token>] [--url=<url>] 
       [-cop=key:value [-cop=key:value]...] [@<filename>...] 
       [COMMAND]

Parameters:
  @<filename>...          One or more argument files containing options.
  -v, --verbose           Verbose output?
  -q, --quiet             Quiet mode: do not generate output at console.
  -cop, --conf-option=key:value
                          Configuration properties for the scan.
  -h, --help              Show this help message and exit.
  -V, --version           Print version information and exit.

Xygeni credentials - clear-text or encrypted, env:VAR, file:PATH
They override the corresponding values in xygeni.yml configuration.
      --url=<url>         Xygeni api URL
      --token=<token>     Access token.

Commands:
  scan                 Runs all analyses available.
  multi-scan           Runs scans on multiple subdirectories (modules).
  org-scan             Discovers, and even scans, the organization repositories.
  inventory            Discover SDLC assets for project.
  deps, scan-deps      Scan software project for dependencies and SBOM generation.
  suspectdeps          Detect suspect dependencies in project.
  compliance           Check compliance with supply-chain standards.
  codetamper           Detect potential code tampering.
  secrets              Detect hard-coded secrets in project.
  misconf              Detect misconfigurations in project.
  iac                  Detect security flaws in IaC template files.
  malware              Detect malware evidences.
  report-upload        Converts and uploads an external tool or xygeni report into Xygeni platform.
  util                 Utilities for configuration.
  generate-completion  Generate bash/zsh completion script for xygeni.
```

## Configuration options

Each scan has configuration options that are by default available in files named `xygeni.yml` and `xygeni.<command>.yml` in the scanner's `conf` directory. Each file is a YAML document that could be edited and uploaded to the Xygeni platform for reuse.

The `-cop|--conf-option` are global options that go before the command, each for given a value to a configuration property:`xygeni -cop | --conf-option key:value -cop | --conf-option key2:value ... <command> ...`\
(quotes surrounding key:value are optional, depending on shell metacharacters that can appear in key:value)

`key`is the name of the configuration property, and `value` is the value to be assigned. For nested properties separate the parts with '/'.

Examples:

```shell
# Disable commit resolution
xygeni -cop 'commitResolution:never' scan ...
# Set parallel mode with two threads
xygeni -cop 'mode:parallel' -cop 'parallelism:2' secrets ...
# Disable timeout
xygeni -cop 'timeout:0' secrets ...

# More complex cases (using long or short option names):
xygeni --config-option "report[format=text]/sort: exposure" \
  --config-option "report[format=text]/borders: none" \
  --config-option "parallelism: min(availableProcessors - 1, 4)" \
  scan ...
  
# Imagine that the user has this environment var instead of the expected JENKINS_URL
xygeni -cop "cicd[kind=jenkins]/url: ${MY_JENKINS_URL}" misconf ...
```

{% hint style="info" %}
Follow our [**Central Configuration**](https://github.com/xygeni/UserDoc/blob/main/xygeni-scanner-cli/xygeni-cli-overview/central-configuration.md) for instructions on how to handle central configuration.

Note that many configuration options are passed through environment variables or local files in CI/CD pipelines, and for sporadic changes it may be easier to specify a few options with `--conf-option`, possibly storing command line options in an `@argument` file which could be under version control, etc.) This could be convenient when many configuration properties need to be overridden for scanning a particular project.
{% endhint %}

## Common scan options

The following options are supported by the scan commands (`scan`, `multi-scan`, `org-scan`, `deps`, `secrets`, `iac`, `sast`, `suspectdeps`, `malware`, `misconf`, `codetamper`, `inventory`):

| Option          | Description                                                                                                                                                                            |
| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-n, --name`    | Project name for the scan.                                                                                                                                                             |
| `-d, --dir`     | Project base directory to scan.                                                                                                                                                        |
| `-o, --output`  | Output file for the report (use `-` for stdout).                                                                                                                                       |
| `-f, --format`  | Report format (`json`, `text`, `sarif`, `html`, ...).                                                                                                                                  |
| `--mute <path>` | Apply scanner-side [mute rules](https://github.com/xygeni/UserDoc/blob/main/xygeni-scanner-cli/xygeni-cli-overview/mute-rules.md) from a local YAML file or named server-side ruleset. |
| `-nb`           | Suppress the scanner banner.                                                                                                                                                           |

See [Mute Rules](https://github.com/xygeni/UserDoc/blob/main/xygeni-scanner-cli/xygeni-cli-overview/mute-rules.md) for the full `.xygeni.mute.yml` descriptor reference and how scanner-side muting interacts with the Web UI mute action.