The Xygeni Scanner CLI supports the following commands:
Usage:
xygeni [-hqvV] [--token=<token>] [--url=<url>]
[-cop=key:value [-cop=key:value]...] [@<filename>...]
[COMMAND]
Parameters:
@<filename>... One or more argument files containing options.
-v, --verbose Verbose output?
-q, --quiet Quiet mode: do not generate output at console.
-cop, --conf-option=key:value
Configuration properties for the scan.
-h, --help Show this help message and exit.
-V, --version Print version information and exit.
Xygeni credentials - clear-text or encrypted, env:VAR, file:PATH
They override the corresponding values in xygeni.yml configuration.
--url=<url> Xygeni api URL
--token=<token> Access token.
Commands:
scan Runs all analyses available.
multi-scan Runs scans on multiple subdirectories (modules).
org-scan Discovers, and even scans, the organization repositories.
inventory Discover SDLC assets for project.
deps, scan-deps Scan software project for dependencies and SBOM generation.
suspectdeps Detect suspect dependencies in project.
compliance Check compliance with supply-chain standards.
codetamper Detect potential code tampering.
secrets Detect hard-coded secrets in project.
misconf Detect misconfigurations in project.
iac Detect security flaws in IaC template files.
malware Detect malware evidences.
report-upload Converts and uploads an external tool or xygeni report into Xygeni platform.
util Utilities for configuration.
generate-completion Generate bash/zsh completion script for xygeni.
Configuration options
Each scan has configuration options that are by default available in files named xygeni.yml and xygeni.<command>.yml in the scanner's conf directory. Each file is a YAML document that could be edited and uploaded to the Xygeni platform for reuse.
The -cop|--conf-option are global options that go before the command, each for given a value to a configuration property:xygeni -cop | --conf-option key:value -cop | --conf-option key2:value ... <command> ...
(quotes surrounding key:value are optional, depending on shell metacharacters that can appear in key:value)
keyis the name of the configuration property, and value is the value to be assigned. For nested properties separate the parts with '/'.
Examples:
# Disable commit resolution
xygeni -cop 'commitResolution:never' scan ...
# Set parallel mode with two threads
xygeni -cop 'mode:parallel' -cop 'parallelism:2' secrets ...
# Disable timeout
xygeni -cop 'timeout:0' secrets ...
# More complex cases (using long or short option names):
xygeni --config-option "report[format=text]/sort: exposure" \
--config-option "report[format=text]/borders: none" \
--config-option "parallelism: min(availableProcessors - 1, 4)" \
scan ...
# Imagine that the user has this environment var instead of the expected JENKINS_URL
xygeni -cop "cicd[kind=jenkins]/url: ${MY_JENKINS_URL}" misconf ...
Note that many configuration options are passed through environment variables or local files in CI/CD pipelines, and for sporadic changes it may be easier to specify a few options with --conf-option, possibly storing command line options in an @argument file which could be under version control, etc.) This could be convenient when many configuration properties need to be overridden for scanning a particular project.
