Table of Contents
This project aims at extending the Xygeni platform for End to End Software Supply Chain Security.
This repository help partners and end-users to share their own extensions and to request for new ones, that could be added to the platform or even provided here for the community.
The repository contains documentation and examples for Xygeni extensions, including:
- custom detectors,
- activity sensors,
- third-party report ingest,
- guardrail and workflow actions.
The following sections document how to add a custom component to the Xygeni platform, in a way that it could be shared with other users.
A Xygeni detector is a piece of logic that detects a security issue in a scanned target system such as source code, a source code repository or a container image, a CI/CD system or another software tool. A detector has YAML (.yml) file that configures the detector, possibly an implementation class (.java), and optionally an AsciiDoc (.adoc) file to document the issues raised by the detector.
Read Developing Custom Detectors for full documentation.
TBD
TBD
Xygeni prioritization and response can be also used with security findings reported by third-party security tools (namely external scanners), both open-source and commercial. The scanner provides a report-upload command for uploading the structured reports generated by third-party security tools, in areas like Static Application Security Testing (SAST), Software Composition Analysis (SCA), or Secret Leaks / IaC Flaws Detection.
The report-upload
framework is available with the scanner so new converters for unsupported formats could be added. Go to the Report Upload section for full details on how to add a new tool format.
TBD
Xygeni exporters are shared to allow third-party tools to provide data in a format that Xygeni can ingest.
As a complement to Kiuwan SAST converter available in the Xygeni report-upload
tool, here is an example of how to export the findings from Kiuwan.
Kiuwan is a powerful, end-to-end application security platform. Kiuwan Static Application Security Testing (SAST) product is the tool that detects security vulnerabilities in source code using static analysis.
The problem is that Xygeni does not provide a mechanism in the agent (Kiuwan Local Analyzer) for writing to a local file the findings from the tool.
To export the findings to a local file for uploading into third-party tools like Xygeni, the approach used was to register the custom rule ExportRule provided that registers a task to export the findings at the end of the analysis.
See Kiuwan Exporter for full details on how to register the exporter in your Kiuwan account, and to upload exported reports from Kiuwan into Xygeni using the report-upload
command.
As a complement to Sonarqube SAST converter available in the Xygeni report-upload
tool, here is an example of how to export the findings from Sonarqube (Server and Cloud) by using the Sonarqube Web API.
See Sonarqube Exporter for details.
First off, thanks for taking the time to contribute! Your efforts will help other xygeni users to get more value from the platform. We appreciate your contributions.
See CONTRIBUTING for further details about how to create an issue or a pull request for a bugfix or a new feature.
Xygeni-extensions follows good security practices, but 100% security cannot be assured. Xygeni-extensions is provided "as is" without any warranty. Use at your own risk.
For more information and to report securitu issues, please refer to our security documentation
Please note that any contributions to Xygeni-Extensions (this project) are open-source under the terms of the Apache 2.0 license. See LICENSE for full details.