Supported tools

Xygeni

About Xygeni

Xygeni is a Software Supply Chain Security platform whose scanners produce JSON reports for code vulnerabilities (SAST), open-source dependency vulnerabilities (SCA), hard-coded secrets, IaC flaws, web-application vulnerabilities (DAST), CI/CD and SCM misconfigurations, and malicious or suspect components.

This parser handles three Xygeni scan kinds in phase 1: SAST, SCA, and Secrets. All three share a common metadata envelope; the parser dispatches on metadata.scanType.

Scan Types

Scan typemetadata.scanTypeXygeni CLI command (typical)
Xygeni SAST Scansastxygeni scan --scan-type=sast --format=json
Xygeni SCA Scandepsxygeni scan --scan-type=deps --format=json
Xygeni Secrets Scansecretsxygeni scan --scan-type=secrets --format=json

See the Xygeni documentation at https://docs.xygeni.io for installation and the full set of CLI options.

Acceptable JSON Format

All three scan types share the same envelope:

{
  "metadata": {
    "uuid": "...",
    "timestamp": "2026-04-26T07:08:29Z",
    "projectName": "...",
    "scanType": "sast" | "deps" | "secrets",
    "format": "<scanType>-xygeni",
    "reportProperties": {
      "tool.name": "Xygeni",
      "tool.version": "..."
    }
  },
  ...
}

The kind-specific payload then follows:

  • SASTvulnerabilities[] — each entry carries detector (the rule id), severity, location.{filepath, beginLine, endLine, code}, cwe / cwes[], tags[], explanation, uniqueHash, issueId, and an optional codeFlows[] block describing source / sink frames and the data path.
  • SCAdependencies[] — each dependency has name, version, ecosystem, and a nested vulnerabilities[] of CVE/GHSA advisories with cve, cwes, fixedVersion, aliases, overallCvssScore, references, description, uniqueHash, issueId.
  • Secretssecrets[] — each entry has type (e.g. aws_access_key), detector, severity, location (same shape as SAST), description, tags, uniqueHash, issueId. The secret value and location.code are already redacted by the Xygeni CLI before serialisation.

Sample Scan Data

Sample Xygeni JSON reports can be found here.

Deduplication

Every finding carries unique_id_from_tool (set from Xygeni’s vendor-stable uniqueHash) and vuln_id_from_tool (set from issueId). The deduplication algorithm is configured per scan type:

Scan typeAlgorithmHash-code fields (fallback)
Xygeni SAST Scanunique_id_from_tooln/a
Xygeni SCA Scanunique_id_from_tool_or_hash_codevulnerability_ids, component_name, component_version
Xygeni Secrets Scanunique_id_from_tooln/a

For SCA the hash-code fallback enables cross-tool deduplication: the same CVE on the same package@version reported by Xygeni and another SCA scanner (Snyk, Trivy, etc.) collapse into a single Finding.

Prev
Xeol Parser
Next
Yarn Audit