Skip to main content

CyberXYZ Vulnerability Scanner CLI — real-time vulnerability intelligence, XYZ scoring, EPSS and depalert scores

Project description

cyberxyz-scanner

CyberXYZ Security CLI. Real-time supply-chain protection for npm, PyPI, Go and .NET (NuGet) on macOS, Linux and Windows.

PyPI version Python License

The CLI pairs with the CyberXYZ platform to give you per-machine package inventory, proxy enforcement on every npm install / pip install, and CI/CD gating on flagged dependencies. It is the implementer's interface to a platform that also exposes the same controls in a web dashboard.

Install

The package is published on PyPI as cyberxyz-scanner. The CLI binary it installs is named xyz.

With pip

pip install cyberxyz-scanner

With uv

uv pip install cyberxyz-scanner

Verify the install:

xyz --help

Quick start (one-time per machine)

# 1. Browser-based login. Stores a JWT in ~/.xyz/config.json
xyz login

# 2. Enroll this machine. Single command does all of:
#    - Registers the device server-side
#    - Writes the proxy token to ~/.npmrc
#    - Configures pip's global index URL
#    - Installs the OS service for dashboard "Scan now" support
#      (LaunchAgent on macOS, systemd --user on Linux, Task Scheduler on Windows)
xyz proxy setup --machine-name "Alex's MacBook"

That's it. Every subsequent npm install and pip install on this device is checked through the CyberXYZ proxy, and the dashboard's "Scan now" button can trigger a fresh inventory audit on demand.

For environments that should not run a long-running background process (CI build agents, sealed builds), pass --no-install-daemon.

Audit installed packages

Each command below audits the matching ecosystem on this machine, runs the CyberXYZ watchlist + deep check on suspect packages, and uploads the full inventory to the platform.

xyz audit npm                  # local + global node_modules
xyz audit python               # active Python environment via pip
xyz audit go                   # $GOPATH module cache
xyz audit nuget                # packages.lock.json files under cwd
xyz audit                      # npm + python + go back-to-back

By default each command uses the watchlist pre-filter for speed (~25-40s on a typical machine). Pass --full to skip the pre-filter and deep-check every package (slower but covers advisory-only matches at scan time).

Other useful commands

# One-off safety check on a single package + version
xyz check axios 1.14.1 -e npm

# CI/CD gate. Drops a non-zero exit on flagged packages.
xyz depalert scan --package-lock package-lock.json --fail-on block
xyz depalert scan --requirements requirements.txt --fail-on quarantine
xyz depalert scan -p axios@1.14.1 -p lodash@4.17.21

# SBOM upload (CycloneDX or SPDX)
xyz inventory upload ./my-app
xyz inventory upload --sbom syft.json

# Diagnostic / housekeeping
xyz proxy status               # show current npm + pip proxy config
xyz proxy whoami               # what (org, machine) does my token resolve to
xyz proxy remove               # restore default registries on this machine
xyz scans list                 # history of recent scans for your org
xyz upgrade                    # pull the latest release from PyPI

CI/CD integrations

Drop one of the templates below into your repo, set XYZ_API_KEY as a secret, and any push or PR that pulls in a malicious or vulnerable package will fail the build with a clear reason.

  • GitHub Actions: .github/workflows/xyz-depalert.yml (template in the XYZ-APT-Scanner repo)
  • Azure DevOps Pipelines: integrations/azure-pipelines/cyberxyz-supply-chain.yml

Both run the same xyz depalert scan engine your laptops use.

Re-enroll, rotate, remove

To rotate the proxy token on a device, just re-run xyz proxy setup --machine-name "...". The platform revokes the old token and writes a fresh one. The daemon picks it up at next restart.

To remove a device cleanly, delete it from the dashboard Fleet view. The deletion sweeps proxy_install_log, proxy_tokens, cli_scans, customer_inventory_uploads, customer_package_inventory and scan_jobs in one transaction. Re-enroll with the same command above.

Platform

License

Proprietary. See LICENSE.

Contact

Email: amro@cyberxyz.io

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cyberxyz_scanner-1.4.34.tar.gz (120.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cyberxyz_scanner-1.4.34-py3-none-any.whl (102.7 kB view details)

Uploaded Python 3

File details

Details for the file cyberxyz_scanner-1.4.34.tar.gz.

File metadata

  • Download URL: cyberxyz_scanner-1.4.34.tar.gz
  • Upload date:
  • Size: 120.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for cyberxyz_scanner-1.4.34.tar.gz
Algorithm Hash digest
SHA256 94d8cedda62d3a17678d0e2535e71899e1d2877c4bf4275f020243266fed1a50
MD5 dfdb26b24c2e8b708d578cbb2b627046
BLAKE2b-256 d44e955c0ea829da9b5266373659c5b21fc967c931260abbf0a9474d9da3430a

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyberxyz_scanner-1.4.34.tar.gz:

Publisher: publish-to-pypi.yml on CyberXYZSecurity/XYZ-Exploitability-Scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cyberxyz_scanner-1.4.34-py3-none-any.whl.

File metadata

File hashes

Hashes for cyberxyz_scanner-1.4.34-py3-none-any.whl
Algorithm Hash digest
SHA256 f063b314ffd37d55be9da28653b92784afa458fd4ad0cb3a78b8c33bdcf4be43
MD5 8e1150b0c015f0ac529ac079aedd23b8
BLAKE2b-256 dc0bc3c4c1aacd68ea153767b36bac22393c71f0d00fd1b601f1ad8322375420

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyberxyz_scanner-1.4.34-py3-none-any.whl:

Publisher: publish-to-pypi.yml on CyberXYZSecurity/XYZ-Exploitability-Scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page