Skip to main content

CyberXYZ Vulnerability Scanner CLI — real-time vulnerability intelligence, XYZ scoring, EPSS and depalert scores

Project description

cyberxyz-scanner

CyberXYZ Security CLI. Real-time supply-chain protection for npm, PyPI, Go and .NET (NuGet) on macOS, Linux and Windows.

PyPI version Python License

The CLI pairs with the CyberXYZ platform to give you per-machine package inventory, proxy enforcement on every npm install / pip install, and CI/CD gating on flagged dependencies. It is the implementer's interface to a platform that also exposes the same controls in a web dashboard.

Install

The package is published on PyPI as cyberxyz-scanner. The CLI binary it installs is named xyz.

With pip

pip install cyberxyz-scanner

With uv

uv pip install cyberxyz-scanner

Verify the install:

xyz --help

Quick start (one-time per machine)

# 1. Browser-based login. Stores a JWT in ~/.xyz/config.json
xyz login

# 2. Enroll this machine. Single command does all of:
#    - Registers the device server-side
#    - Writes the proxy token to ~/.npmrc
#    - Configures pip's global index URL
#    - Installs the OS service for dashboard "Scan now" support
#      (LaunchAgent on macOS, systemd --user on Linux, Task Scheduler on Windows)
xyz proxy setup --machine-name "Alex's MacBook"

That's it. Every subsequent npm install and pip install on this device is checked through the CyberXYZ proxy, and the dashboard's "Scan now" button can trigger a fresh inventory audit on demand.

For environments that should not run a long-running background process (CI build agents, sealed builds), pass --no-install-daemon.

Audit installed packages

Each command below audits the matching ecosystem on this machine, runs the CyberXYZ watchlist + deep check on suspect packages, and uploads the full inventory to the platform.

xyz audit npm                  # local + global node_modules
xyz audit python               # active Python environment via pip
xyz audit go                   # $GOPATH module cache
xyz audit nuget                # packages.lock.json files under cwd
xyz audit                      # npm + python + go back-to-back

By default each command uses the watchlist pre-filter for speed (~25-40s on a typical machine). Pass --full to skip the pre-filter and deep-check every package (slower but covers advisory-only matches at scan time).

Other useful commands

# One-off safety check on a single package + version
xyz check axios 1.14.1 -e npm

# CI/CD gate. Drops a non-zero exit on flagged packages.
xyz depalert scan --package-lock package-lock.json --fail-on block
xyz depalert scan --requirements requirements.txt --fail-on quarantine
xyz depalert scan -p axios@1.14.1 -p lodash@4.17.21

# SBOM upload (CycloneDX or SPDX)
xyz inventory upload ./my-app
xyz inventory upload --sbom syft.json

# Diagnostic / housekeeping
xyz proxy status               # show current npm + pip proxy config
xyz proxy whoami               # what (org, machine) does my token resolve to
xyz proxy remove               # restore default registries on this machine
xyz scans list                 # history of recent scans for your org
xyz upgrade                    # pull the latest release from PyPI

CI/CD integrations

Drop one of the templates below into your repo, set XYZ_API_KEY as a secret, and any push or PR that pulls in a malicious or vulnerable package will fail the build with a clear reason.

  • GitHub Actions: .github/workflows/xyz-depalert.yml (template in the XYZ-APT-Scanner repo)
  • Azure DevOps Pipelines: integrations/azure-pipelines/cyberxyz-supply-chain.yml

Both run the same xyz depalert scan engine your laptops use.

Re-enroll, rotate, remove

To rotate the proxy token on a device, just re-run xyz proxy setup --machine-name "...". The platform revokes the old token and writes a fresh one. The daemon picks it up at next restart.

To remove a device cleanly, delete it from the dashboard Fleet view. The deletion sweeps proxy_install_log, proxy_tokens, cli_scans, customer_inventory_uploads, customer_package_inventory and scan_jobs in one transaction. Re-enroll with the same command above.

Platform

License

Proprietary. See LICENSE.

Contact

Email: amro@cyberxyz.io

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cyberxyz_scanner-1.4.44.tar.gz (130.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cyberxyz_scanner-1.4.44-py3-none-any.whl (113.7 kB view details)

Uploaded Python 3

File details

Details for the file cyberxyz_scanner-1.4.44.tar.gz.

File metadata

  • Download URL: cyberxyz_scanner-1.4.44.tar.gz
  • Upload date:
  • Size: 130.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for cyberxyz_scanner-1.4.44.tar.gz
Algorithm Hash digest
SHA256 6aeb417f66b30b5686683f3111a562d3c48efb52dd3a7b782d0f378e1b330399
MD5 eea2c4c0a5300db5bc01cb925cce0a03
BLAKE2b-256 7d83e2aaf1fe730603a06429d0d6c4b502e713d2e72868c9bbf3a16db73a197c

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyberxyz_scanner-1.4.44.tar.gz:

Publisher: publish-to-pypi.yml on CyberXYZSecurity/XYZ-Exploitability-Scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cyberxyz_scanner-1.4.44-py3-none-any.whl.

File metadata

File hashes

Hashes for cyberxyz_scanner-1.4.44-py3-none-any.whl
Algorithm Hash digest
SHA256 158aa1b2768ec9874393c31c273743a792ae1366455225d67065c7cdd1cfe61d
MD5 d76f27ab5f354ad498c3c0abe5d4ed74
BLAKE2b-256 ea974f87a95107b3fc47da0cc35121405886d9b1cd25aee9a07b525edb1a745c

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyberxyz_scanner-1.4.44-py3-none-any.whl:

Publisher: publish-to-pypi.yml on CyberXYZSecurity/XYZ-Exploitability-Scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page