CLI Options for Local Scanner
Quickly install and use the CybeDefend CLI to scan your code locally, fetch results, and integrate secure checks into CI/CD.
The CybeDefend CLI provides an efficient way to run local code scans and view results on our platform. It supports Linux, macOS, and Windows and is easily integrated into CI/CD pipelines or used in offline environments.
Usage
Installation
You can install the CybeDefend CLI using one of the following methods:
1. Pre-built Binaries
- Download the latest release for your platform (e.g.,
cybedefend-darwin-amd64
,cybedefend-linux-amd64
, orcybedefend-windows-amd64.exe
) from the GitHub Releases page. - Make Executable (Linux/macOS):
- Move to PATH:
- Check:
2. Build from Source
3. Docker Image
A pre-built Docker image containing the CLI is available on GitHub Container Registry. You can pull the latest version or a specific tag (like v1.0.4
):
This mounts your current directory into the container and runs the scan. Ensure your API key and project ID are available as environment variables.
Configuration
- Config File (
config.yaml
in./
,$HOME/.cybedefend
, or/etc/cybedefend
): - Environment Variables:
CYBEDEFEND_API_URL
CYBEDEFEND_API_KEY
CYBEDEFEND_PROJECT_ID
- Flags override these settings:
--api-url
,--api-key
,--project-id
Commands
1. scan
Starts a new scan by uploading a directory or a pre-zipped file to the CybeDefend platform. By default, the command waits for the scan to complete and displays a summary of findings.
--dir, -d
: Directory to zip & scan (cannot be used with--file
).--file, -f
: Pre-zipped file to scan (cannot be used with--dir
).--project-id
: Associate scan with a specific project ID (required).--api-key
: Your CybeDefend API Key (can also be set via config or env var).--wait
: (boolean, default:true
) Wait for the scan to complete before exiting. Iffalse
, the command exits after initiating the scan.--interval
: (duration, default:5s
) Polling interval to check scan status when--wait
istrue
.--break-on-fail
: (boolean, default:false
) Exit with a non-zero code if the scan itself fails (e.g., due to API errors or processing issues).--break-on-severity
: (string, default:none
) Exit with a non-zero code if vulnerabilities of the specified severity or higher are found. Vulnerabilities marked as “resolved” or “not_exploitable” are ignored.- Possible values:
critical
,high
,medium
,low
,none
(disables breaking on severity).
- Possible values:
--ci
: CI-friendly output (no color/ASCII art, minimal logging). Useful for automated environments.
After a scan completes (when --wait
is true), a summary of vulnerabilities found (excluding resolved/not exploitable) is displayed by severity.
Examples
2. results
--project-id
: Project ID to fetch results.--type, -t
:sast
(default) oriac
.--all, -a
: Fetch all pages.--output, -o
:json
,html
, orsarif
.--filename, -f
: Output file name (results.json
default).--filepath
: Path to save file (.
default).--ci
: CI-friendly mode.
Examples
3. version
Displays the CLI version:
4. completion
Generates shell autocompletion for bash, zsh, etc.:
CI/CD Integration
Combine the scan
and results
commands in your pipelines. The scan
command’s --wait
, --break-on-fail
, and --break-on-severity
flags are particularly useful for controlling pipeline flow based on scan outcomes.
For example, in GitHub Actions:
Use --ci
for minimal logs during the scan. The --break-on-*
flags allow automatic build failure based on your security policies. You can still use cybedefend results
to fetch detailed reports if the scan passes the break conditions or if you need the data regardless.
Next Steps
- License: Apache 2.0
- Support: GitHub Issues or contact us at support@cybedefend.com
- Advanced Topics: Explore environment variables, config files, and flags to customize your local scanning workflow.