Skip to main content

CyberXYZ Vulnerability Scanner CLI — real-time vulnerability intelligence, XYZ scoring, EPSS and depalert scores

Project description

cyberxyz-scanner

CyberXYZ Security CLI. Real-time supply-chain protection for npm, PyPI, Go and .NET (NuGet) on macOS, Linux and Windows.

PyPI version Python License

The CLI pairs with the CyberXYZ platform to give you per-machine package inventory, proxy enforcement on every npm install / pip install, and CI/CD gating on flagged dependencies. It is the implementer's interface to a platform that also exposes the same controls in a web dashboard.

Install

The package is published on PyPI as cyberxyz-scanner. The CLI binary it installs is named xyz.

With pip

pip install cyberxyz-scanner

With uv

uv pip install cyberxyz-scanner

Verify the install:

xyz --help

Quick start (one-time per machine)

# 1. Browser-based login. Stores a JWT in ~/.xyz/config.json
xyz login

# 2. Enroll this machine. Single command does all of:
#    - Registers the device server-side
#    - Writes the proxy token to ~/.npmrc
#    - Configures pip's global index URL
#    - Installs the OS service for dashboard "Scan now" support
#      (LaunchAgent on macOS, systemd --user on Linux, Task Scheduler on Windows)
xyz proxy setup --machine-name "Alex's MacBook"

That's it. Every subsequent npm install and pip install on this device is checked through the CyberXYZ proxy, and the dashboard's "Scan now" button can trigger a fresh inventory audit on demand.

For environments that should not run a long-running background process (CI build agents, sealed builds), pass --no-install-daemon.

Audit installed packages

Each command below audits the matching ecosystem on this machine, runs the CyberXYZ watchlist + deep check on suspect packages, and uploads the full inventory to the platform.

xyz audit npm                  # local + global node_modules
xyz audit python               # active Python environment via pip
xyz audit go                   # $GOPATH module cache
xyz audit nuget                # packages.lock.json files under cwd
xyz audit                      # npm + python + go back-to-back

By default each command uses the watchlist pre-filter for speed (~25-40s on a typical machine). Pass --full to skip the pre-filter and deep-check every package (slower but covers advisory-only matches at scan time).

Other useful commands

# One-off safety check on a single package + version
xyz check axios 1.14.1 -e npm

# CI/CD gate. Drops a non-zero exit on flagged packages.
xyz depalert scan --package-lock package-lock.json --fail-on block
xyz depalert scan --requirements requirements.txt --fail-on quarantine
xyz depalert scan -p axios@1.14.1 -p lodash@4.17.21

# SBOM upload (CycloneDX or SPDX)
xyz inventory upload ./my-app
xyz inventory upload --sbom syft.json

# Diagnostic / housekeeping
xyz proxy status               # show current npm + pip proxy config
xyz proxy whoami               # what (org, machine) does my token resolve to
xyz proxy remove               # restore default registries on this machine
xyz scans list                 # history of recent scans for your org
xyz upgrade                    # pull the latest release from PyPI

CI/CD integrations

Drop one of the templates below into your repo, set XYZ_API_KEY as a secret, and any push or PR that pulls in a malicious or vulnerable package will fail the build with a clear reason.

  • GitHub Actions: .github/workflows/xyz-depalert.yml (template in the XYZ-APT-Scanner repo)
  • Azure DevOps Pipelines: integrations/azure-pipelines/cyberxyz-supply-chain.yml

Both run the same xyz depalert scan engine your laptops use.

Re-enroll, rotate, remove

To rotate the proxy token on a device, just re-run xyz proxy setup --machine-name "...". The platform revokes the old token and writes a fresh one. The daemon picks it up at next restart.

To remove a device cleanly, delete it from the dashboard Fleet view. The deletion sweeps proxy_install_log, proxy_tokens, cli_scans, customer_inventory_uploads, customer_package_inventory and scan_jobs in one transaction. Re-enroll with the same command above.

Platform

License

Proprietary. See LICENSE.

Contact

Email: amro@cyberxyz.io

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cyberxyz_scanner-1.4.42.tar.gz (128.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cyberxyz_scanner-1.4.42-py3-none-any.whl (111.5 kB view details)

Uploaded Python 3

File details

Details for the file cyberxyz_scanner-1.4.42.tar.gz.

File metadata

  • Download URL: cyberxyz_scanner-1.4.42.tar.gz
  • Upload date:
  • Size: 128.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for cyberxyz_scanner-1.4.42.tar.gz
Algorithm Hash digest
SHA256 6dec4ffa7d3506d0bbb889dce0ac01d3e4d8a2d3653eadb8ef7b980ff5afd12e
MD5 84724d73447c60182312a6970659c107
BLAKE2b-256 dbba4f4b31c3bd9c810c27c1253e81d7552f53a71baef92de5359a84a7b0689c

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyberxyz_scanner-1.4.42.tar.gz:

Publisher: publish-to-pypi.yml on CyberXYZSecurity/XYZ-Exploitability-Scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cyberxyz_scanner-1.4.42-py3-none-any.whl.

File metadata

File hashes

Hashes for cyberxyz_scanner-1.4.42-py3-none-any.whl
Algorithm Hash digest
SHA256 bb1ee0f139fba0c13780133bf3baa38bddf1bb24412443775ab39c49b56e876d
MD5 6812bfc34707f1a4d1a07fbe28dc6603
BLAKE2b-256 5f20ac6d9bc66b7c946f48313ceb27846c40c305f103076959fba2def18487f9

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyberxyz_scanner-1.4.42-py3-none-any.whl:

Publisher: publish-to-pypi.yml on CyberXYZSecurity/XYZ-Exploitability-Scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page