> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cysmiq CLI

> Run vulnerability checks in CI/CD pipelines and query vulnerabilities from scripts or coding agents.

## Overview

The Cysmiq CLI lets you run policy checks in CI/CD pipelines, query vulnerabilities from scripts or coding agents, update vulnerability workflow state, and install official Cysmiq skills for supported coding agents.

## Prerequisites

* A Cysmiq workspace slug for workspace-scoped commands
* A Cysmiq API token with access to the workspace
* A repository connected to Cysmiq for repository-scoped checks, or an application for application-scoped checks

See [API keys](/security-access/api-keys) to generate an API token.

## Installation

<Tabs>
  <Tab title="macOS (Homebrew)">
    ```bash Install via Homebrew theme={null}
    brew install --cask cysmiq/tap/cysmiq
    ```

    Homebrew 6 may require explicit trust for existing installations from non-official taps during upgrades. If Homebrew reports that `cysmiq/tap/cysmiq` is from an untrusted tap, trust the Cysmiq cask and rerun the upgrade:

    ```bash Trust the Cysmiq cask theme={null}
    brew trust --cask cysmiq/tap/cysmiq
    brew upgrade --cask cysmiq
    ```

    To trust all entries from the Cysmiq tap on managed machines, trust the tap once:

    ```bash Trust the Cysmiq tap theme={null}
    brew trust cysmiq/tap
    ```
  </Tab>

  <Tab title="macOS (Manual)">
    Download the latest release for your architecture:

    ```bash Apple Silicon theme={null}
    curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_darwin_arm64.tar.gz | tar -xz
    sudo mv cysmiq /usr/local/bin/
    ```

    ```bash Intel Mac theme={null}
    curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_darwin_amd64.tar.gz | tar -xz
    sudo mv cysmiq /usr/local/bin/
    ```
  </Tab>

  <Tab title="Linux (Manual)">
    Download the latest release for your architecture:

    ```bash x86_64 theme={null}
    curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.tar.gz | tar -xz
    sudo mv cysmiq /usr/local/bin/
    ```

    ```bash ARM64 theme={null}
    curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_arm64.tar.gz | tar -xz
    sudo mv cysmiq /usr/local/bin/
    ```
  </Tab>

  <Tab title="Linux (Package)">
    ```bash Debian or Ubuntu theme={null}
    curl -fsSLO https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.deb
    sudo dpkg -i cysmiq_linux_amd64.deb
    ```

    ```bash RHEL or Fedora theme={null}
    curl -fsSLO https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.rpm
    sudo rpm -i cysmiq_linux_amd64.rpm
    ```

    ```bash Alpine theme={null}
    curl -fsSLO https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.apk
    sudo apk add --allow-untrusted cysmiq_linux_amd64.apk
    ```
  </Tab>
</Tabs>

Verify the installation:

```bash Verify installation theme={null}
cysmiq version
```

## Configuration

The CLI reads configuration from these sources, in order of precedence:

1. **Command-line flags**: `--base-url`, `--tenant`, `--token`
2. **Environment variables**: `CYSMIQ_BASE_URL`, `CYSMIQ_TENANT`, `CYSMIQ_TOKEN`, and other `CYSMIQ_` prefixed options
3. **Config file**: `~/.cysmiq/config.yaml`

### Required settings

| Setting  | Flag         | Environment variable | Description                               |
| -------- | ------------ | -------------------- | ----------------------------------------- |
| Base URL | `--base-url` | `CYSMIQ_BASE_URL`    | Base URL (e.g., `https://app.cysmiq.com`) |
| Tenant   | `--tenant`   | `CYSMIQ_TENANT`      | Workspace slug                            |
| Token    | `--token`    | `CYSMIQ_TOKEN`       | API token                                 |

### Config file

Create `~/.cysmiq/config.yaml` to avoid passing common flags repeatedly:

```yaml ~/.cysmiq/config.yaml theme={null}
base-url: https://app.cysmiq.com
tenant: my-workspace
# token: set via CYSMIQ_TOKEN for security
```

Use hyphenated option names in the config file:

```yaml ~/.cysmiq/config.yaml theme={null}
repo: my-org/my-repo
ref: main
poll-interval: 5s
wait-timeout: 15m
```

<Warning>
  Avoid storing API tokens in the config file. Use `CYSMIQ_TOKEN` instead.
</Warning>

## Commands

### List Tenants, Repositories, and Applications

Use the resource list commands to find the workspace, repository, or application identifiers you need for automation.

```bash List accessible workspaces theme={null}
cysmiq tenants list
```

```bash List repositories in a workspace theme={null}
cysmiq repos list --tenant my-workspace
```

```bash List applications in a workspace theme={null}
cysmiq applications list --tenant my-workspace
```

`tenants list` is not workspace-scoped, so it requires only `--base-url` and `--token`. `repos list` and `applications list` require a workspace through `--tenant` or `CYSMIQ_TENANT`.

**Options:**

| Command             | Important flags                                             | Output          |
| ------------------- | ----------------------------------------------------------- | --------------- |
| `tenants list`      | `--limit`, `--cursor`                                       | `table`, `json` |
| `repos list`        | `--org`, `--source`, `--application`, `--limit`, `--cursor` | `table`, `json` |
| `applications list` | `--limit`, `--cursor`                                       | `table`, `json` |

Use `--json` or `--output json` when another script or coding agent will consume the result.

These commands require the matching API key scopes: `tenants:read` for `tenants list`, `repositories:read` for `repos list`, and `applications:read` for `applications list`. Existing keys keep the scopes selected when they were created, so older keys may need to be recreated with the new scopes.

### Run Checks

Use `cysmiq check` to run a policy check and set the exit code based on vulnerabilities found. Use this in CI/CD pipelines to gate deployments.

```bash Basic check theme={null}
cysmiq check --repo my-org/my-repo --ref main
```

The `check` command requires either a repository or an application. In repository mode, provide `--ref` for the latest known scan on a branch or tag, or `--sha` for a specific commit. When only `--repo` is available and inference cannot find a ref or SHA, the CLI uses the repository default branch.

When `--sha` is provided in repository mode, `check` waits for the scan to reach a terminal state before evaluating the result. Use `--poll-interval` and `--wait-timeout` to control how often the CLI checks scan status and how long it waits. Application mode evaluates vulnerabilities across the application's repositories and does not wait on one scan.

**Exit codes:**

* `0`: Check passed
* `2`: Usage error, invalid flag value, missing required setting, or canceled command
* `3`: Conflict, such as a stale `--status-version`
* `4`: Unauthorized API token
* `5`: Forbidden API request or token without the required ability
* `6`: Resource not found
* `7`: Scan unavailable for the provided SHA
* `8`: API validation error
* `9`: API or transport error, including failed scan terminal states and wait timeouts after a scan was observed
* `10`: Policy failure because the configured threshold was exceeded

Exit code `1` is reserved for generic shell or runtime failures outside the CLI's explicit error classes.

**Options:**

| Flag              | Environment variable   | Default         | Description                                                                            |
| ----------------- | ---------------------- | --------------- | -------------------------------------------------------------------------------------- |
| `--repo`          | `CYSMIQ_REPO`          | -               | Repository identifier or name                                                          |
| `--application`   | `CYSMIQ_APPLICATION`   | -               | Application prefixed ID or name. Mutually exclusive with `--repo`                      |
| `--ref`           | `CYSMIQ_REF`           | -               | Git ref, such as a branch or tag                                                       |
| `--sha`           | `CYSMIQ_SHA`           | -               | Git commit SHA. When set, `check` waits for scan completion before evaluating results  |
| `--fail-on`       | `CYSMIQ_FAIL_ON`       | `critical,high` | Severities that cause failure                                                          |
| `--max-count`     | `CYSMIQ_MAX_COUNT`     | `-1`            | Fail if total vulnerabilities exceeds this number. `-1` disables the count gate        |
| `--poll-interval` | `CYSMIQ_POLL_INTERVAL` | `5s`            | Polling interval while waiting for a SHA scan to finish. Include a duration unit       |
| `--wait-timeout`  | `CYSMIQ_WAIT_TIMEOUT`  | `15m`           | Maximum time to wait for a SHA scan to reach a terminal state. Include a duration unit |
| `--limit`         | `CYSMIQ_LIMIT`         | `50`            | Max vulnerability items to fetch for policy evaluation (1-200)                         |
| `--severity`      | `CYSMIQ_SEVERITY`      | all             | Filter by severity: `critical`, `high`, `medium`, `low`                                |
| `--type`          | `CYSMIQ_TYPE`          | all             | Filter by type: `code`, `dependency`, `secret`                                         |
| `--confirmed`     | `CYSMIQ_CONFIRMED`     | `true`          | Only include confirmed vulnerabilities                                                 |
| `--triaged`       | `CYSMIQ_TRIAGED`       | all             | Filter by triage status: `yes` or `no`                                                 |
| `--state`         | `CYSMIQ_STATE`         | `open`          | Filter by workflow state: `open`, `fixed`, `accepted`, `ignored`, `rejected`, or `all` |
| `--output`        | `CYSMIQ_OUTPUT`        | `summary`       | Output format: `summary`, `table`, `json`                                              |

`--poll-interval` and `--wait-timeout` must include a duration unit, such as `5s`, `30s`, `2m`, or `15m`.

**Examples:**

```bash Fail only on critical vulnerabilities theme={null}
cysmiq check --repo my-org/my-repo --ref main --fail-on critical
```

```bash Check a specific commit theme={null}
cysmiq check --repo my-org/my-repo --sha abc123def456
```

```bash Check an application theme={null}
cysmiq check --application app_01hxyz
```

```bash Check a commit with shorter polling theme={null}
cysmiq check --repo my-org/my-repo --sha abc123def456 --poll-interval 10s --wait-timeout 5m
```

```bash Fail if more than 10 vulnerabilities theme={null}
cysmiq check --repo my-org/my-repo --ref main --max-count 10
```

```bash JSON output for parsing theme={null}
cysmiq check --repo my-org/my-repo --ref main --output json
```

### List Vulnerabilities

Use `cysmiq vulns list` to list vulnerabilities for a repository or application. By default, the CLI returns open, confirmed vulnerabilities and renders them as cards.

```bash List open vulnerabilities theme={null}
cysmiq vulns list --repo my-org/my-repo
```

**Options:**

| Flag            | Default      | Description                                                                            |
| --------------- | ------------ | -------------------------------------------------------------------------------------- |
| `--repo`        | (auto-infer) | Repository identifier                                                                  |
| `--application` |              | Application prefixed ID or name. Mutually exclusive with `--repo`                      |
| `--ref`         | (auto-infer) | Git ref (branch or tag)                                                                |
| `--sha`         |              | Git commit SHA                                                                         |
| `--severity`    | (all)        | Filter by severity                                                                     |
| `--type`        | (all)        | Filter by type                                                                         |
| `--confirmed`   | `true`       | Only include confirmed vulnerabilities                                                 |
| `--triaged`     | (all)        | Filter by triage status                                                                |
| `--state`       | `open`       | Filter by workflow state: `open`, `fixed`, `accepted`, `ignored`, `rejected`, or `all` |
| `--assignee`    |              | Filter by assignee: `me`, `unassigned`, user ID, prefixed ID, or email                 |
| `--limit`       | `50`         | Max items per page (1-200)                                                             |
| `--all`         | `false`      | Fetch all pages                                                                        |
| `--cursor`      |              | Pagination cursor                                                                      |
| `--output`      | `cards`      | Output format: `summary`, `cards`, `table`, `json`                                     |
| `--json`        |              | Output JSON with optional comma-separated field projection                             |
| `--color`       | `auto`       | Color mode for human-readable output: `auto`, `always`, `never`                        |

```bash List critical vulnerabilities across all pages theme={null}
cysmiq vulns list --repo my-org/my-repo --severity critical --all
```

```bash List vulnerabilities for an application theme={null}
cysmiq vulns list --application app_01hxyz --output table
```

```bash List vulnerabilities assigned to you theme={null}
cysmiq vulns list --repo my-org/my-repo --assignee me
```

```bash Export as JSON theme={null}
cysmiq vulns list --repo my-org/my-repo --output json > vulns.json
```

```bash Export selected JSON fields theme={null}
cysmiq vulns list --repo my-org/my-repo --json id,title,severity,state,assignee
```

### Get Vulnerability Details

Use `cysmiq vulns get` to get details for one vulnerability.

```bash Get vulnerability details theme={null}
cysmiq vulns get VULN-123
```

**Options:**

| Flag                | Default   | Description                                                                                                 |
| ------------------- | --------- | ----------------------------------------------------------------------------------------------------------- |
| `--include`         |           | Include extra detail: `locations`, `advisory`, `secret`, `call_hierarchies`, `impacts`, `human_escalations` |
| `--locations-limit` | `50`      | Max locations to fetch when `--include locations` is used                                                   |
| `--output`          | `summary` | Output format: `summary`, `json`                                                                            |
| `--json`            |           | Output JSON with optional comma-separated field projection                                                  |
| `--color`           | `auto`    | Color mode for summary output: `auto`, `always`, `never`                                                    |

```bash Get selected fields theme={null}
cysmiq vulns get VULN-123 --json id,title,severity,state,status_version
```

```bash Include locations and advisory details theme={null}
cysmiq vulns get VULN-123 --include locations,advisory
```

### List Vulnerability Locations

Use `cysmiq vulns locations` to list locations for one vulnerability.

```bash List vulnerability locations theme={null}
cysmiq vulns locations VULN-123
```

**Options:**

| Flag       | Default | Description                                                                            |
| ---------- | ------- | -------------------------------------------------------------------------------------- |
| `--scope`  | `all`   | Location scope: `live` for only unfixed locations, or `all` to include fixed locations |
| `--limit`  | `50`    | Max locations per page (1-200)                                                         |
| `--cursor` |         | Pagination cursor                                                                      |
| `--output` | `cards` | Output format: `summary`, `cards`, `table`, `json`                                     |
| `--json`   |         | Output JSON with optional comma-separated field projection                             |
| `--color`  | `auto`  | Color mode for human-readable output: `auto`, `always`, `never`                        |

```bash List live locations as a table theme={null}
cysmiq vulns locations VULN-123 --scope live --output table
```

### Assign Vulnerabilities

Use `cysmiq vulns assign` to assign a vulnerability to a user.

```bash Assign to yourself theme={null}
cysmiq vulns assign VULN-123 --to me
```

**Options:**

| Flag               | Default   | Description                                                   |
| ------------------ | --------- | ------------------------------------------------------------- |
| `--to`             |           | Assignee: `me`, user ID, prefixed ID, or email                |
| `--status-version` |           | Expected vulnerability status version for conflict protection |
| `--output`         | `summary` | Output format: `summary`, `json`                              |
| `--json`           | `false`   | Output JSON                                                   |

### Clear Vulnerability Assignees

Use `cysmiq vulns unassign` to clear the assignee on a vulnerability.

```bash Clear assignee theme={null}
cysmiq vulns unassign VULN-123
```

**Options:**

| Flag               | Default   | Description                                                   |
| ------------------ | --------- | ------------------------------------------------------------- |
| `--status-version` |           | Expected vulnerability status version for conflict protection |
| `--output`         | `summary` | Output format: `summary`, `json`                              |
| `--json`           | `false`   | Output JSON                                                   |

### Triage Vulnerabilities

Use `cysmiq vulns triage` to change vulnerability triage state.

```bash Mark a vulnerability as accepted theme={null}
cysmiq vulns triage VULN-123 --state accepted --reason "Mitigated upstream"
```

Use `ignored` when the finding is a false positive.

**Options:**

| Flag               | Default   | Description                                                   |
| ------------------ | --------- | ------------------------------------------------------------- |
| `--state`          |           | Triage state: `open`, `fixed`, `accepted`, `ignored`          |
| `--reason`         |           | Triage reason or comment                                      |
| `--status-version` |           | Expected vulnerability status version for conflict protection |
| `--output`         | `summary` | Output format: `summary`, `json`                              |
| `--json`           | `false`   | Output JSON                                                   |

### Summarize Vulnerabilities

Use `cysmiq vulns summary` to show a vulnerability count summary without listing individual items.

```bash Show vulnerability summary theme={null}
cysmiq vulns summary --repo my-org/my-repo
```

```bash Show application vulnerability summary theme={null}
cysmiq vulns summary --application app_01hxyz
```

| Flag            | Default      | Description                                                                            |
| --------------- | ------------ | -------------------------------------------------------------------------------------- |
| `--repo`        | (auto-infer) | Repository identifier                                                                  |
| `--application` |              | Application prefixed ID or name. Mutually exclusive with `--repo`                      |
| `--ref`         | (auto-infer) | Git ref (branch or tag)                                                                |
| `--sha`         |              | Git commit SHA                                                                         |
| `--severity`    | (all)        | Filter by severity                                                                     |
| `--type`        | (all)        | Filter by type                                                                         |
| `--confirmed`   | `true`       | Only include confirmed vulnerabilities                                                 |
| `--triaged`     | (all)        | Filter by triage status                                                                |
| `--state`       | `open`       | Filter by workflow state: `open`, `fixed`, `accepted`, `ignored`, `rejected`, or `all` |
| `--output`      | `summary`    | Output format: `summary`, `json`                                                       |

`vulns summary` supports the same vulnerability filter fields as `vulns list`, except pagination, assignee, color, and field projection.

### Show Version

Use `cysmiq version` to print version information.

```bash Show version theme={null}
cysmiq version
```

### Update CLI

Use `cysmiq update` to update the CLI to the latest version.

```bash Update to latest theme={null}
cysmiq update
```

| Flag      | Description                                              |
| --------- | -------------------------------------------------------- |
| `--check` | Check for updates without installing                     |
| `--force` | Force update even if installed through a package manager |

```bash Check for updates theme={null}
cysmiq update --check
```

### Agent Skills

Use `cysmiq skills` to install and manage official Cysmiq skills for coding agents. Skills are local files, so installs and updates preserve local edits unless you explicitly choose an overwrite option.

Supported agent IDs:

| Agent ID | Agent                 | Project install path    |
| -------- | --------------------- | ----------------------- |
| `codex`  | Codex                 | `.codex/skills/cysmiq`  |
| `claude` | Claude Code           | `.claude/skills/cysmiq` |
| `agents` | Portable agent layout | `.agents/skills/cysmiq` |

List the available skills bundle:

```bash List available skills theme={null}
cysmiq skills list
```

Install the Cysmiq skill for Codex in the current project:

```bash Install for Codex theme={null}
cysmiq skills install --agent codex --scope project
```

Install for every supported agent in the current project:

```bash Install for all supported agents theme={null}
cysmiq skills install --all-agents --scope project
```

Check what is installed and whether it is current:

```bash Check installed skills theme={null}
cysmiq skills status
```

Diagnose local skill setup:

```bash Diagnose skill setup theme={null}
cysmiq skills doctor
```

Update installed skills:

```bash Update installed skills theme={null}
cysmiq skills update
```

Remove installed Cysmiq skills:

```bash Remove installed skills theme={null}
cysmiq skills remove --agent codex --scope project
```

**Scopes:**

| Scope     | Description                                                                                                       |
| --------- | ----------------------------------------------------------------------------------------------------------------- |
| `auto`    | Default for `install`. Uses project scope when a Git root or agent marker is detected, otherwise uses user scope. |
| `project` | Installs into the current project root. If no project root is detected, the current working directory is used.    |
| `user`    | Installs into the user's home directory. For Codex, `CODEX_HOME` is used when set.                                |

**Options:**

| Flag           | Commands                                                  | Description                                                         |
| -------------- | --------------------------------------------------------- | ------------------------------------------------------------------- |
| `--agent`      | `install`, `status`, `update`, `remove`                   | Agent ID to target. Repeat the flag or pass comma-separated values. |
| `--all-agents` | `install`, `status`, `update`, `remove`                   | Target every supported agent.                                       |
| `--scope`      | `install`, `status`, `update`, `remove`                   | Install scope: `auto`, `project`, or `user`.                        |
| `--json`       | `list`, `install`, `status`, `doctor`, `update`, `remove` | Emit JSON output.                                                   |
| `--source`     | `list`, `install`, `status`, `doctor`, `update`           | Override the metadata source with a URL or `file://` path.          |
| `--version`    | `list`, `install`, `status`, `doctor`, `update`           | Pin a specific skills bundle version.                               |
| `--backup`     | `install`, `update`                                       | Back up modified files before overwriting them.                     |
| `--force`      | `install`, `update`, `remove`                             | Overwrite or remove locally modified Cysmiq-owned files.            |
| `--yes`        | `update`                                                  | Skip the update confirmation prompt.                                |

`skills update` replaces official files that still match the installed version. Locally modified Cysmiq-owned files require `--backup` or `--force`. `skills remove` removes Cysmiq-owned files and leaves unrelated local files in place.

## CI/CD Integration

The `check`, `vulns list`, and `vulns summary` commands can auto-infer repository, ref, and SHA from common CI environments. Explicit flags, environment variables, and config file values take precedence over inferred values.

<Info>
  Use `--sha` in CI/CD gates when you want the CLI to wait for the scan for the current commit before evaluating policy. Use `--ref` when you want to evaluate the latest scan for a branch or tag.
</Info>

### GitHub Actions

```yaml GitHub Actions workflow theme={null}
name: Security Check

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Cysmiq CLI
        run: |
          curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.tar.gz | tar -xz
          sudo mv cysmiq /usr/local/bin/

      - name: Run security check
        env:
          CYSMIQ_BASE_URL: https://app.cysmiq.com
          CYSMIQ_TENANT: ${{ vars.CYSMIQ_TENANT }}
          CYSMIQ_TOKEN: ${{ secrets.CYSMIQ_TOKEN }}
          CYSMIQ_REPO: ${{ github.repository }}
          CYSMIQ_SHA: ${{ github.sha }}
        run: cysmiq check
```

### GitLab CI

```yaml GitLab CI configuration theme={null}
security-check:
  image: alpine:latest
  before_script:
    - apk add --no-cache curl
    - curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.tar.gz | tar -xz
    - mv cysmiq /usr/local/bin/
  script:
    - cysmiq check
  variables:
    CYSMIQ_BASE_URL: https://app.cysmiq.com
    CYSMIQ_TENANT: $CYSMIQ_TENANT
    CYSMIQ_TOKEN: $CYSMIQ_TOKEN
    CYSMIQ_REPO: $CI_PROJECT_PATH
    CYSMIQ_SHA: $CI_COMMIT_SHA
```

### CircleCI

```yaml CircleCI configuration theme={null}
version: 2.1

jobs:
  security-check:
    docker:
      - image: cimg/base:current
    steps:
      - checkout
      - run:
          name: Install Cysmiq CLI
          command: |
            curl -fsSL https://github.com/cysmiq/cli-releases/releases/latest/download/cysmiq_linux_amd64.tar.gz | tar -xz
            sudo mv cysmiq /usr/local/bin/
      - run:
          name: Run security check
          command: cysmiq check --repo "$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME" --sha "$CIRCLE_SHA1"
          environment:
            CYSMIQ_BASE_URL: https://app.cysmiq.com

workflows:
  main:
    jobs:
      - security-check:
          context: cysmiq
```

## Global options

These options apply to all commands:

| Flag         | Environment variable | Description                                                                        |
| ------------ | -------------------- | ---------------------------------------------------------------------------------- |
| `--base-url` | `CYSMIQ_BASE_URL`    | API base URL                                                                       |
| `--tenant`   | `CYSMIQ_TENANT`      | Workspace slug                                                                     |
| `--token`    | `CYSMIQ_TOKEN`       | API token                                                                          |
| `--no-infer` | `CYSMIQ_NO_INFER`    | Disable auto-inference from CI environment, local git, and default branch fallback |

## Shared vulnerability filters

These options apply to `check`, `vulns list`, and `vulns summary` unless a command table states otherwise.

| Flag            | Environment variable | Description                                                                         |
| --------------- | -------------------- | ----------------------------------------------------------------------------------- |
| `--repo`        | `CYSMIQ_REPO`        | Repository identifier or name                                                       |
| `--application` | `CYSMIQ_APPLICATION` | Application prefixed ID or name. Mutually exclusive with `--repo`                   |
| `--ref`         | `CYSMIQ_REF`         | Git ref, such as a branch or tag                                                    |
| `--sha`         | `CYSMIQ_SHA`         | Git commit SHA                                                                      |
| `--confirmed`   | `CYSMIQ_CONFIRMED`   | Only confirmed vulnerabilities                                                      |
| `--triaged`     | `CYSMIQ_TRIAGED`     | Filter triaged status: `yes` or `no`                                                |
| `--state`       | `CYSMIQ_STATE`       | Filter workflow state: `open`, `fixed`, `accepted`, `ignored`, `rejected`, or `all` |
| `--severity`    | `CYSMIQ_SEVERITY`    | Filter by severities: `critical`, `high`, `medium`, `low`                           |
| `--type`        | `CYSMIQ_TYPE`        | Filter by types: `code`, `dependency`, `secret`                                     |
| `--limit`       | `CYSMIQ_LIMIT`       | Max items to fetch on commands that expose `--limit`                                |

When `--state` is omitted, the CLI sends `open`. Use `--state all` to request all workflow states.

`--ref` and `--sha` require repository mode. Use `--application` when you want to evaluate or list vulnerabilities across all repositories in an application.

## Related docs

* [API keys](/security-access/api-keys): Generate tokens for CLI authentication
* [Vulnerability lifecycle](/vulnerability-management/lifecycle): Understand vulnerability statuses and triage states
