Xygeni-Extensions

End to End Software Supply Chain Security

---

Table of Contents

• Overview
• How-To...
  • Create a custom detector
  • Create a guardrail or workflow action
  • Create a report loader for a third-party tool
  • Create an activity sensor for a software system
• Contributing

Overview

This project aims at extending the Xygeni platform for End to End Software Supply Chain Security.

This repository help partners and end-users to share their own extensions and to request for new ones, that could be added to the platform or even provided here for the community.

The repository contains documentation and examples for Xygeni extensions, including:

• custom detectors,
• activity sensors,
• third-party report ingest,
• guardrail and workflow actions.

How to...

The following sections document how to add a custom component to the Xygeni platform, in a way that it could be shared with other users.

Create a custom detector

A detector is a piece of logic that detects an issue in the scanned system like source code, a source code repository or a container image, a CI/CD system or another software tool. A detector has an implementation class and a YAML file configuring the detector and providing documentation for the issues created by the detector.

Read Developing Custom Detectors for full documentation.

Create a guardrail or workflow action

TBD

Create a report loader for a third-party tool

Xygeni prioritization and response can be also used with security findings reported by third-party security tools (namely external scanners), both open-source and commercial. The scanner provides a report-upload command for uploading the structured reports generated by third-party security tools, in areas like Static Application Security Testing (SAST), Software Composition Analysis (SCA), or Secret Leaks / IaC Flaws Detection.

The report-upload framework is available with the scanner so new converters for unsupported formats could be added. Go to the Report Upload section for full details on how to add a new tool format.

Create an activity sensor for a software system

TBD

Contributing

First off, thanks for taking the time to contribute! Your efforts will help other xygeni users to get more value from the platform. We appreciate your contributions.

See CONTRIBUTING for further details about how to create an issue or a pull request for a bugfix or a new feature.

Security

Xygeni-extensions follows good security practices, but 100% security cannot be assured. Xygeni-extensions is provided "as is" without any warranty. Use at your own risk.

For more information and to report securitu issues, please refer to our security documentation

License

Please note that any contributions to Xygeni-Extensions (this project) are open-source under the terms of the Apache 2.0 license. See LICENSE for full details.