@reaegis/cli
v1.0.0
Published
REAEGIS local code scanning CLI — CVE, SBOM, IaC, and secrets scanning with signed OSCAL evidence bundles for environments without CI/CD connectivity
Maintainers
franck.kengneReadme
@reaegis/cli
REAEGIS local code scanning — CVE, SBOM, IaC, and secrets scanning with signed OSCAL evidence bundles.
reaegis scans code that is not in a connected repository: local
workstations, air-gapped developer networks, COTS software, legacy systems,
and any environment where a CI/CD webhook cannot be used. It produces the
same OSCAL evidence and findings that the REAEGIS RAMPART engine produces
from pipeline events — the output is identical, only the path to get there
is different.
$ reaegis scan ./my-project
reaegis v1.0.0 — FedRAMP High scan
──────────────────────────────────
Scanning: ./my-project
Framework: FedRAMP High
✔ CVE scan complete — 3 findings (1 CRITICAL)
✔ SBOM generated — 247 components
✔ IaC scan complete — 2 findings
✔ Secrets scan complete — 0 findings
✔ Image digest check complete — 1 unpinned reference(s)
✔ Bundle signed and savedInstallation
# Global install
npm install -g @reaegis/cli
# Or run without installing
npx @reaegis/cli scan ./my-projectRequires Node.js 20 or later. Grype and Syft are downloaded automatically on
first use (into ~/.reaegis/bin/) if they are not already on your PATH.
Quick start
# 1. Authenticate (API key from the REAEGIS dashboard → Settings → API Keys)
reaegis auth --token tk_live_xxxx
# → Authenticated as: ACME Corp / FedRAMP Program
# 2. Scan
reaegis scan ./my-project
# → scans, writes a signed evidence bundle, uploads findings automaticallyNo auth? Scans still work — everything runs locally and the bundle is saved
to ./reaegis-evidence/. Add auth later and run
reaegis upload ./reaegis-evidence to submit it.
Commands
reaegis auth
reaegis auth --token <api-key> [--url https://api.reaegis.com]Verifies the key against the platform, prints the program name, and stores
credentials in ~/.reaegis/config.json (mode 0600).
reaegis scan [path]
Runs five independent checks (a failure in one never stops the others):
| Check | Tool | What it finds |
|---|---|---|
| CVE scan | Grype | Known vulnerabilities in dependency manifests and image tarballs |
| SBOM | Syft | Full software inventory (CycloneDX, stored in the bundle) |
| IaC compliance | built-in | The same 6 misconfiguration rules as RAMPART Gate 8 (public buckets, world-open SSH, hardcoded credentials, unencrypted volumes, root usage, encryption-at-rest disabled) |
| Secrets | built-in | AWS keys, PEM private keys, API keys, connection strings, .env secrets — path + line + type only, never the value |
| Image digests | built-in | Container references not pinned to a SHA-256 digest, mutable tags (:latest, :main, :develop) |
Options:
--framework fedramp-high | fedramp-moderate | cmmc-level-2 | cmmc-level-3 |
nist-800-53 | nist-800-171 (default: nist-800-53)
--output upload | bundle | both (default: both)
--bundle-path evidence output directory (default: ./reaegis-evidence)
--offline local CVE database only, no network calls
--db-path local Grype DB location (default: ~/.reaegis/db)
--commit-sha commit for traceability (default: git rev-parse HEAD)
--system-id REAEGIS system ID to associate findings withExit codes: 0 no CRITICAL/HIGH findings · 1 CRITICAL present ·
2 HIGH present (no CRITICAL) · 3 scan error (tool not found, path invalid).
reaegis sbom [path]
reaegis sbom . # CycloneDX JSON to stdout
reaegis sbom . --format spdx --output sbom.spdx.jsonreaegis stig <target>
reaegis stig / --benchmark U_RHEL_9_STIG_SCAP.xml \
--profile xccdf_org.ssgproject.content_profile_stig \
--output rhel9.cklRuns OpenSCAP (oscap, installed separately) against a DISA SCAP benchmark
and writes a STIG Viewer checklist (.ckl).
reaegis upload [bundle-path]
Upload a previously generated bundle — the deferred path for air-gapped operations. Verifies bundle integrity (manifest hashes) before sending.
reaegis db update
reaegis db update --path ./reaegis-dbDownloads the latest Grype CVE database for later offline use.
reaegis status
Shows the authenticated account, platform URL, last scan, CVE DB version, and connectivity.
reaegis version
Prints the version and checks npm for updates (the only command that contacts the registry).
Air-gapped usage
# 1. On an internet-connected machine:
npm pack @reaegis/cli # → reaegis-cli-1.0.0.tgz
reaegis db update --path ./reaegis-db # → CVE database directory
# 2. Transfer both (plus grype/syft binaries from ~/.reaegis/bin) to the
# air-gapped machine.
# 3. On the air-gapped machine:
npm install -g ./reaegis-cli-1.0.0.tgz
reaegis scan ./my-project --offline --db-path ./reaegis-db --output bundle
# 4. Transfer ./reaegis-evidence back out and upload it:
reaegis upload ./reaegis-evidenceIn --offline mode the CLI makes no network calls — no tool downloads,
no DB updates, no upload.
CI/CD integration
The CLI also works inside pipelines when a webhook integration is not an option.
GitHub Actions
- name: REAEGIS scan
run: |
npx @reaegis/cli auth --token "${{ secrets.REAEGIS_API_KEY }}"
npx @reaegis/cli scan . --framework fedramp-moderate --commit-sha "${{ github.sha }}"GitLab CI
reaegis-scan:
image: node:20
script:
- npx @reaegis/cli auth --token "$REAEGIS_API_KEY"
- npx @reaegis/cli scan . --commit-sha "$CI_COMMIT_SHA"
artifacts:
when: always
paths: [reaegis-evidence/]Azure DevOps
- task: NodeTool@0
inputs: { versionSpec: "20.x" }
- script: |
npx @reaegis/cli auth --token "$(REAEGIS_API_KEY)"
npx @reaegis/cli scan . --commit-sha "$(Build.SourceVersion)"
displayName: REAEGIS scanOutput format
Every scan produces a signed evidence bundle:
reaegis-evidence/
├── assessment-results.json OSCAL 1.1.2 assessment-results
├── sbom.cyclonedx.json SBOM from Syft
├── grype-results.json raw Grype output
├── iac-findings.json IaC rule results
├── secrets-scan.json secret locations (never values)
├── manifest.json SHA-256 of every file
├── manifest.sig ECDSA-P256 signature (base64 DER)
└── signing-key.pub public key for verificationThe OSCAL document is validated against the required fields of the NIST
OSCAL assessment-results schema before it is written. Observations use
assessment method TEST per the NIST SP 800-171 Assessment Methodology;
each finding targets the affected 800-53 control with state
not-satisfied.
Verify a bundle signature:
base64 -d reaegis-evidence/manifest.sig > /tmp/sig.der
openssl dgst -sha256 -verify reaegis-evidence/signing-key.pub \
-signature /tmp/sig.der reaegis-evidence/manifest.jsonThe signing key lives at ~/.reaegis/signing-key.pem (auto-generated on
first run); set REAEGIS_SIGNING_KEY to a PEM string to use your own.
Framework coverage
| Framework | Mapping basis | |---|---| | NIST SP 800-53 Rev 5 | Control catalog — SI-2, RA-5, SI-3, SA-10, SR-4, CM-6/7/8/14, SC-7/28, AC-2/3, IA-5 | | NIST SP 800-171 | Assessment Methodology v1.2.1 — 3.4.x, 3.5.10, 3.11.3, 3.12.4, 3.13.x, 3.14.1 | | NIST CSF 2.0 | nist.gov/cyberframework — DE.CM-8, RS.MI-3, ID.AM-2, ID.SC-4, PR.IP-1, PR.AC-1/5, PR.DS-2/8 |
FedRAMP High/Moderate and CMMC Level 2/3 select the assessment context; every finding carries all three framework mappings.
Privacy & security guarantees
- Secret values are never stored, logged, or transmitted — the secrets scanner reports file path, line number, and pattern type only.
- Offline by default for scanning. Network calls happen only for CVE DB
updates (
reaegis db update), platform upload (--output upload/bothwith auth), tool auto-install, and the explicitreaegis versionupdate check. There is no telemetry. - Grype and Syft run with their phone-home update checks disabled.
Contributing
The CLI lives in apps/cli
of the REAEGIS platform monorepo.
pnpm install
pnpm --filter @reaegis/cli build
pnpm --filter @reaegis/cli test
node apps/cli/dist/index.js scan --helpPull requests need passing tests and a clean tsc. New scan checks must map
findings to all three frameworks (see src/mappings/controls.ts) and must
never capture secret material.
License
Apache-2.0 © REAEGIS Software