CLI for CI/CD

Overview

The Cysmiq CLI lets you run policy checks in CI/CD pipelines, query vulnerabilities from scripts, and integrate security gates into your workflows.

Installation

macOS (Homebrew)
macOS (Manual)
Linux (Manual)
Linux (Package Manager)

Install via Homebrew

brew install --cask cysmiq/tap/cysmiq

Download the latest release for your architecture:

Apple Silicon (M1/M2/M3)

curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_darwin_arm64.tar.gz | tar -xz
sudo mv cysmiq /usr/local/bin/

Intel Mac

curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_darwin_amd64.tar.gz | tar -xz
sudo mv cysmiq /usr/local/bin/

Download the latest release for your architecture:

x86_64

curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.tar.gz | tar -xz
sudo mv cysmiq /usr/local/bin/

ARM64

curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_arm64.tar.gz | tar -xz
sudo mv cysmiq /usr/local/bin/

Debian/Ubuntu:

Install .deb package

curl -fsSLO https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.deb
sudo dpkg -i cysmiq_linux_amd64.deb

RHEL/Fedora:

Install .rpm package

curl -fsSLO https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.rpm
sudo rpm -i cysmiq_linux_amd64.rpm

Alpine:

Install .apk package

curl -fsSLO https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.apk
sudo apk add --allow-untrusted cysmiq_linux_amd64.apk

Verify the installation:

Verify installation

cysmiq version

Configuration

The CLI reads configuration from three sources, in order of precedence:

Command-line flags: --base-url, --tenant, --token
Environment variables: CYSMIQ_BASE_URL, CYSMIQ_TENANT, CYSMIQ_TOKEN
Config file: ~/.cysmiq/config.yaml

Required settings

Setting	Flag	Environment variable	Description
Base URL	`--base-url`	`CYSMIQ_BASE_URL`	Base URL (e.g., `https://app.cysmiq.com`)
Tenant	`--tenant`	`CYSMIQ_TENANT`	Workspace slug
Token	`--token`	`CYSMIQ_TOKEN`	API token

Config file

Create ~/.cysmiq/config.yaml to avoid passing flags repeatedly:

~/.cysmiq/config.yaml

base-url: https://app.cysmiq.com
tenant: my-workspace
# token: set via CYSMIQ_TOKEN for security

Avoid storing tokens in the config file. Use the CYSMIQ_TOKEN environment variable instead.

Commands

check

Run a policy check and set the exit code based on vulnerabilities found. Use this in CI/CD pipelines to gate deployments.

Basic check

cysmiq check --repo my-org/my-repo

Exit codes:

0: Check passed
1: Check failed (vulnerabilities exceeded policy) or no scan found for provided SHA
2: Configuration or API error

Options:

Flag	Default	Description
`--repo`	(auto-infer)	Repository identifier
`--ref`	(auto-infer)	Git ref (branch or tag)
`--sha`	(auto-infer)	Git commit SHA
`--fail-on`	`critical,high`	Severities that cause failure
`--max-count`	`-1` (disabled)	Fail if total vulnerabilities exceeds this number
`--severity`	(all)	Filter by severity: `critical`, `high`, `medium`, `low`
`--type`	(all)	Filter by type: `code`, `dependency`, `secret`
`--confirmed`	`true`	Only include confirmed vulnerabilities
`--triaged`	(all)	Filter by triage status: `yes` or `no`
`--output`	`summary`	Output format: `summary`, `table`, `json`

Examples:

Fail only on critical vulnerabilities

cysmiq check --repo my-org/my-repo --fail-on critical

Check a specific commit

cysmiq check --repo my-org/my-repo --sha abc123def456

Fail if more than 10 vulnerabilities

cysmiq check --repo my-org/my-repo --max-count 10

JSON output for parsing

cysmiq check --repo my-org/my-repo --output json

vulns list

List vulnerabilities for a repository.

List vulnerabilities

cysmiq vulns list --repo my-org/my-repo

Options:

Flag	Default	Description
`--repo`	(auto-infer)	Repository identifier
`--ref`	(auto-infer)	Git ref (branch or tag)
`--sha`		Git commit SHA
`--severity`	(all)	Filter by severity
`--type`	(all)	Filter by type
`--confirmed`	`true`	Only include confirmed vulnerabilities
`--triaged`	(all)	Filter by triage status
`--limit`	`50`	Max items per page (1-200)
`--all`	`false`	Fetch all pages
`--cursor`		Pagination cursor
`--output`	`table`	Output format: `summary`, `table`, `json`

Examples:

List all critical vulnerabilities

cysmiq vulns list --repo my-org/my-repo --severity critical --all

Export as JSON

cysmiq vulns list --repo my-org/my-repo --output json > vulns.json

vulns summary

Show a vulnerability count summary without listing individual items.

Show summary

cysmiq vulns summary --repo my-org/my-repo

Options:

Flag	Default	Description
`--output`	`summary`	Output format: `summary`, `json`

Note: vulns summary requires --repo or auto-inferred repo context.

version

Print version information.

Show version

cysmiq version

update

Update the CLI to the latest version.

Update to latest

cysmiq update

Options:

Flag	Description
`--check`	Check for updates without installing
`--force`	Force update even if installed via a package manager

Check for updates

cysmiq update --check

CI/CD integration

The CLI auto-infers repository, ref, and SHA from common CI environments. Set --no-infer to disable this behavior.

Use --no-infer when running the CLI outside the target repo or when you need to query a different repo, ref, or SHA than the CI environment. Then pass --repo, --ref, and --sha explicitly.

GitHub Actions

GitHub Actions workflow

name: Security Check

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Cysmiq CLI
        run: |
          curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.tar.gz | tar -xz
          sudo mv cysmiq /usr/local/bin/

      - name: Run security check
        env:
          CYSMIQ_BASE_URL: https://app.cysmiq.com
          CYSMIQ_TENANT: ${{ vars.CYSMIQ_TENANT }}
          CYSMIQ_TOKEN: ${{ secrets.CYSMIQ_TOKEN }}
        run: cysmiq check

GitLab CI

GitLab CI configuration

security-check:
  image: alpine:latest
  before_script:
    - apk add --no-cache curl
    - curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.tar.gz | tar -xz
    - mv cysmiq /usr/local/bin/
  script:
    - cysmiq check
  variables:
    CYSMIQ_BASE_URL: https://app.cysmiq.com
    CYSMIQ_TENANT: $CYSMIQ_TENANT
    CYSMIQ_TOKEN: $CYSMIQ_TOKEN

CircleCI

CircleCI configuration

version: 2.1

jobs:
  security-check:
    docker:
      - image: cimg/base:current
    steps:
      - checkout
      - run:
          name: Install Cysmiq CLI
          command: |
            curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.tar.gz | tar -xz
            sudo mv cysmiq /usr/local/bin/
      - run:
          name: Run security check
          command: cysmiq check
          environment:
            CYSMIQ_BASE_URL: https://app.cysmiq.com

workflows:
  main:
    jobs:
      - security-check:
          context: cysmiq

Global options

These options apply to all commands:

Flag	Environment variable	Description
`--base-url`	`CYSMIQ_BASE_URL`	API base URL
`--tenant`	`CYSMIQ_TENANT`	Workspace slug
`--token`	`CYSMIQ_TOKEN`	API token
`--no-infer`	`CYSMIQ_NO_INFER`	Disable auto-inference from CI environment
`--repo`	-	Repository identifier or name
`--ref`	-	Git ref (branch or tag)
`--sha`	-	Git commit SHA
`--confirmed`	-	Only confirmed vulnerabilities
`--triaged`	-	Filter triaged status (`yes` or `no`)
`--severity`	-	Filter by severities (`critical`, `high`, `medium`, `low`)
`--type`	-	Filter by types (`code`, `dependency`, `secret`)
`--limit`	-	Max items to fetch (1-200)

API keys: Generate tokens for CLI authentication
Vulnerability lifecycle: Understanding vulnerability statuses

Onboarding & setup

Integrations

Workflows

Administration

Self-hosting

Overview

Installation

Configuration

Required settings

Config file

Commands

check

vulns list

vulns summary

version

update

CI/CD integration

GitHub Actions

GitLab CI

CircleCI

Global options

Onboarding & setup

Integrations

Workflows

Administration

Self-hosting

​Overview

​Installation

​Configuration

​Required settings

​Config file

​Commands

​check

​vulns list

​vulns summary

​version

​update

​CI/CD integration

​GitHub Actions

​GitLab CI

​CircleCI

​Global options

​Related docs

Overview

Installation

Configuration

Required settings

Config file

Commands

check

vulns list

vulns summary

version

update

CI/CD integration

GitHub Actions

GitLab CI

CircleCI

Global options

Related docs