@netbobr/cli
v1.0.4
Published
Pipe-friendly CLI for netbobr firewall rule risk analysis
Downloads
44
Readme
@netbobr/cli
Pipe-friendly CLI for firewall rule risk analysis. Validates flows against 6 compliance frameworks (PCI-DSS, CIS Controls, NIST 800-53, NIS2, DORA, MITRE ATT&CK), produces risk scores, and returns meaningful exit codes for pipeline gating.
Install
npm install -g @netbobr/cliOr run directly with npx (zero install):
npx @netbobr/cli analyze ...Usage
Inline flags
netbobr analyze --src 10.0.0.0/8 --dst 203.0.113.5 --proto tcp --port 22File input
netbobr analyze firewall-rules.csv --fail-on highStdin pipe
cat rules.json | netbobr analyze - --output jsonCloud formats
Auto-detect or specify the cloud input format:
# Terraform plan
terraform show -json tfplan | netbobr analyze - --cloud-format tf-plan --fail-on high
# AWS Security Groups
netbobr analyze sgs.json --cloud-format aws-sg --output sarif
# Kubernetes NetworkPolicy
netbobr analyze netpol.yaml --cloud-format k8s-netpol
# Azure NSG
netbobr analyze nsg.json --cloud-format azure-nsg
# Auto-detect
netbobr analyze cloud-export.json --cloud-format autoSupported formats: aws-sg, azure-nsg, gcp-fw, tf-plan, k8s-netpol, auto.
Output Formats
| Format | Flag | Use Case |
|--------|------|----------|
| JSON | --output json | Machine parsing, custom integrations |
| Table | --output table | Human-readable terminal output (default for TTY) |
| CSV | --output csv | Spreadsheet import, data analysis |
| SARIF | --output sarif | GitHub Code Scanning, VS Code |
| PDF | --output pdf | Compliance reports (requires --output-file) |
JSON is the default when output is piped. Table is the default for interactive terminals.
Exit Codes
| Exit Code | Severity | Meaning | |-----------|----------|---------| | 0 | Low / None | All flows are low risk or clean | | 1 | Medium | At least one medium-severity finding | | 2 | High | At least one high-severity finding | | 3 | Critical | At least one critical-severity finding |
Use --fail-on <severity> to set a custom threshold:
netbobr analyze rules.csv --fail-on high # fail on high or critical
netbobr analyze rules.csv --fail-on critical # fail only on critical
netbobr analyze rules.csv --fail-on low # fail on any findingConfiguration
Load a browser-exported netbobr session to apply custom rules, zones, risk weights, and disabled rules:
netbobr analyze rules.csv --config netbobr-session.jsonExport your configuration from the netbobr web app using Session Control > Save.
CI/CD Integration
GitHub Actions
- run: npx @netbobr/cli analyze firewall-rules.csv --fail-on high
# With SARIF upload to Code Scanning:
- run: npx @netbobr/cli analyze firewall-rules.csv --output sarif > results.sarif
continue-on-error: true
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
if: always()Azure DevOps
- script: npx @netbobr/cli analyze firewall-rules.csv --fail-on high
displayName: 'Validate firewall rules'GitLab CI
firewall-validation:
image: node:20
script:
- npx @netbobr/cli analyze firewall-rules.csv --fail-on highSee the full CI/CD documentation for detailed platform guides including Jenkins, SARIF integration, PDF artifacts, and severity gating.
Flags Reference
| Flag | Description |
|------|-------------|
| --src <ip> | Source IP/CIDR for inline analysis |
| --dst <ip> | Destination IP/CIDR for inline analysis |
| --proto <protocol> | Protocol (tcp, udp, icmp, any) |
| --port <port> | Port, range, or list (e.g. 80,443,8000-9000) |
| --output <format> | Output format: json, table, csv, sarif, pdf |
| --output-file <path> | Output file path (required for PDF) |
| --config <path> | Path to netbobr session JSON |
| --fail-on <severity> | Exit code threshold: low, medium, high, critical |
| --frameworks <list> | Comma-separated frameworks to enable (e.g. pci,nist,mitre) |
| --cloud-format [format] | Cloud input format (or auto to detect) |
| --quiet | Suppress non-essential output |
License
MIT