|
| 1 | +--- |
| 2 | +title: "Xygeni" |
| 3 | +toc_hide: true |
| 4 | +--- |
| 5 | +### About Xygeni |
| 6 | +[Xygeni](https://xygeni.io) is a Software Supply Chain Security platform whose |
| 7 | +scanners produce JSON reports for code vulnerabilities (SAST), open-source |
| 8 | +dependency vulnerabilities (SCA), hard-coded secrets, IaC flaws, web-application |
| 9 | +vulnerabilities (DAST), CI/CD and SCM misconfigurations, and malicious or |
| 10 | +suspect components. |
| 11 | + |
| 12 | +This parser handles three Xygeni scan kinds in phase 1: **SAST**, **SCA**, and |
| 13 | +**Secrets**. All three share a common `metadata` envelope; the parser |
| 14 | +dispatches on `metadata.scanType`. |
| 15 | + |
| 16 | +### Scan Types |
| 17 | +| Scan type | `metadata.scanType` | Xygeni CLI command (typical) | |
| 18 | +| ------------------------ | ------------------- | ---------------------------- | |
| 19 | +| `Xygeni SAST Scan` | `sast` | `xygeni scan --scan-type=sast --format=json` | |
| 20 | +| `Xygeni SCA Scan` | `deps` | `xygeni scan --scan-type=deps --format=json` | |
| 21 | +| `Xygeni Secrets Scan` | `secrets` | `xygeni scan --scan-type=secrets --format=json` | |
| 22 | + |
| 23 | +See the Xygeni documentation at <https://docs.xygeni.io> for installation and |
| 24 | +the full set of CLI options. |
| 25 | + |
| 26 | +### Acceptable JSON Format |
| 27 | +All three scan types share the same envelope: |
| 28 | + |
| 29 | +~~~ |
| 30 | +{ |
| 31 | + "metadata": { |
| 32 | + "uuid": "...", |
| 33 | + "timestamp": "2026-04-26T07:08:29Z", |
| 34 | + "projectName": "...", |
| 35 | + "scanType": "sast" | "deps" | "secrets", |
| 36 | + "format": "<scanType>-xygeni", |
| 37 | + "reportProperties": { |
| 38 | + "tool.name": "Xygeni", |
| 39 | + "tool.version": "..." |
| 40 | + } |
| 41 | + }, |
| 42 | + ... |
| 43 | +} |
| 44 | +~~~ |
| 45 | + |
| 46 | +The kind-specific payload then follows: |
| 47 | + |
| 48 | +- **SAST** — `vulnerabilities[]` — each entry carries `detector` (the rule id), |
| 49 | + `severity`, `location.{filepath, beginLine, endLine, code}`, `cwe` / |
| 50 | + `cwes[]`, `tags[]`, `explanation`, `uniqueHash`, `issueId`, and an optional |
| 51 | + `codeFlows[]` block describing source / sink frames and the data path. |
| 52 | +- **SCA** — `dependencies[]` — each dependency has `name`, `version`, |
| 53 | + `ecosystem`, and a nested `vulnerabilities[]` of CVE/GHSA advisories with |
| 54 | + `cve`, `cwes`, `fixedVersion`, `aliases`, `overallCvssScore`, `references`, |
| 55 | + `description`, `uniqueHash`, `issueId`. |
| 56 | +- **Secrets** — `secrets[]` — each entry has `type` (e.g. |
| 57 | + `aws_access_key`), `detector`, `severity`, `location` (same shape as SAST), |
| 58 | + `description`, `tags`, `uniqueHash`, `issueId`. The `secret` value and |
| 59 | + `location.code` are already redacted by the Xygeni CLI before serialisation. |
| 60 | + |
| 61 | +### Sample Scan Data |
| 62 | +Sample Xygeni JSON reports can be found |
| 63 | +[here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/xygeni). |
| 64 | + |
| 65 | +### Deduplication |
| 66 | + |
| 67 | +Every finding carries `unique_id_from_tool` (set from Xygeni's vendor-stable |
| 68 | +`uniqueHash`) and `vuln_id_from_tool` (set from `issueId`). The deduplication |
| 69 | +algorithm is configured per scan type: |
| 70 | + |
| 71 | +| Scan type | Algorithm | Hash-code fields (fallback) | |
| 72 | +| -------------------- | ---------------------------------- | -------------------------------------------------------------- | |
| 73 | +| Xygeni SAST Scan | `unique_id_from_tool` | n/a | |
| 74 | +| Xygeni SCA Scan | `unique_id_from_tool_or_hash_code` | `vulnerability_ids`, `component_name`, `component_version` | |
| 75 | +| Xygeni Secrets Scan | `unique_id_from_tool` | n/a | |
| 76 | + |
| 77 | +For SCA the hash-code fallback enables cross-tool deduplication: the same |
| 78 | +CVE on the same package@version reported by Xygeni and another SCA scanner |
| 79 | +(Snyk, Trivy, etc.) collapse into a single Finding. |
0 commit comments