Skip to main content

CyberXYZ Vulnerability Scanner CLI — real-time vulnerability intelligence, XYZ scoring, EPSS and depalert scores

Project description

cyberxyz-scanner

CyberXYZ Security CLI. Real-time supply-chain protection for npm, PyPI, Go and .NET (NuGet) on macOS, Linux and Windows.

PyPI version Python License

The CLI pairs with the CyberXYZ platform to give you per-machine package inventory, proxy enforcement on every npm install / pip install, and CI/CD gating on flagged dependencies. It is the implementer's interface to a platform that also exposes the same controls in a web dashboard.

Install

The package is published on PyPI as cyberxyz-scanner. The CLI binary it installs is named xyz.

With pip

pip install cyberxyz-scanner

With uv

uv pip install cyberxyz-scanner

Verify the install:

xyz --help

Quick start (one-time per machine)

# 1. Browser-based login. Stores a JWT in ~/.xyz/config.json
xyz login

# 2. Enroll this machine. Single command does all of:
#    - Registers the device server-side
#    - Writes the proxy token to ~/.npmrc
#    - Configures pip's global index URL
#    - Installs the OS service for dashboard "Scan now" support
#      (LaunchAgent on macOS, systemd --user on Linux, Task Scheduler on Windows)
xyz proxy setup --machine-name "Alex's MacBook"

That's it. Every subsequent npm install and pip install on this device is checked through the CyberXYZ proxy, and the dashboard's "Scan now" button can trigger a fresh inventory audit on demand.

For environments that should not run a long-running background process (CI build agents, sealed builds), pass --no-install-daemon.

Audit installed packages

Each command below audits the matching ecosystem on this machine, runs the CyberXYZ watchlist + deep check on suspect packages, and uploads the full inventory to the platform.

xyz audit npm                  # local + global node_modules
xyz audit python               # active Python environment via pip
xyz audit go                   # $GOPATH module cache
xyz audit nuget                # packages.lock.json files under cwd
xyz audit                      # npm + python + go back-to-back

By default each command uses the watchlist pre-filter for speed (~25-40s on a typical machine). Pass --full to skip the pre-filter and deep-check every package (slower but covers advisory-only matches at scan time).

Other useful commands

# One-off safety check on a single package + version
xyz check axios 1.14.1 -e npm

# CI/CD gate. Drops a non-zero exit on flagged packages.
xyz depalert scan --package-lock package-lock.json --fail-on block
xyz depalert scan --requirements requirements.txt --fail-on quarantine
xyz depalert scan -p axios@1.14.1 -p lodash@4.17.21

# SBOM upload (CycloneDX or SPDX)
xyz inventory upload ./my-app
xyz inventory upload --sbom syft.json

# Diagnostic / housekeeping
xyz proxy status               # show current npm + pip proxy config
xyz proxy whoami               # what (org, machine) does my token resolve to
xyz proxy remove               # restore default registries on this machine
xyz scans list                 # history of recent scans for your org
xyz upgrade                    # pull the latest release from PyPI

CI/CD integrations

Drop one of the templates below into your repo, set XYZ_API_KEY as a secret, and any push or PR that pulls in a malicious or vulnerable package will fail the build with a clear reason.

  • GitHub Actions: .github/workflows/xyz-depalert.yml (template in the XYZ-APT-Scanner repo)
  • Azure DevOps Pipelines: integrations/azure-pipelines/cyberxyz-supply-chain.yml

Both run the same xyz depalert scan engine your laptops use.

Re-enroll, rotate, remove

To rotate the proxy token on a device, just re-run xyz proxy setup --machine-name "...". The platform revokes the old token and writes a fresh one. The daemon picks it up at next restart.

To remove a device cleanly, delete it from the dashboard Fleet view. The deletion sweeps proxy_install_log, proxy_tokens, cli_scans, customer_inventory_uploads, customer_package_inventory and scan_jobs in one transaction. Re-enroll with the same command above.

Platform

License

Proprietary. See LICENSE.

Contact

Email: amro@cyberxyz.io

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cyberxyz_scanner-1.4.53.tar.gz (132.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cyberxyz_scanner-1.4.53-py3-none-any.whl (115.8 kB view details)

Uploaded Python 3

File details

Details for the file cyberxyz_scanner-1.4.53.tar.gz.

File metadata

  • Download URL: cyberxyz_scanner-1.4.53.tar.gz
  • Upload date:
  • Size: 132.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for cyberxyz_scanner-1.4.53.tar.gz
Algorithm Hash digest
SHA256 d3e1982eb84e2a10ead529a178408e1c9e3a0e6a20886b0a5451e4ca9a5879f3
MD5 d6539b8cfceb2a83229b752677761e08
BLAKE2b-256 53b8bc1ca10c56b45616c21ef51f90202a1e1a550d023e50bb019281402f40a0

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyberxyz_scanner-1.4.53.tar.gz:

Publisher: publish-to-pypi.yml on CyberXYZSecurity/XYZ-Exploitability-Scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cyberxyz_scanner-1.4.53-py3-none-any.whl.

File metadata

File hashes

Hashes for cyberxyz_scanner-1.4.53-py3-none-any.whl
Algorithm Hash digest
SHA256 0647f15d7820b4fdaab56b76343653900a5e9254e435c7717f52c63d10f7a188
MD5 771faffd0745ea101d0e01ab9a404d17
BLAKE2b-256 a1b2f83c374e1fd12dd2c4a4073a6362a1b46722b5d1d572049b68bbb4452cc4

See more details on using hashes here.

Provenance

The following attestation bundles were made for cyberxyz_scanner-1.4.53-py3-none-any.whl:

Publisher: publish-to-pypi.yml on CyberXYZSecurity/XYZ-Exploitability-Scanner

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page