Security doesn’t begin with developers, but they are often affected by security. In my career as a developer, I would say I spent roughly a week per quarter performing tasks to fulfill security needs, whether that meant patch updates, vulnerability remediation, or other DevOps requirements for the sake of policy compliance. As developers are a necessary part of many security fixes, they also benefit from tools supporting security initiatives. Tools that help prevent security issues can also help save developer time because it almost always becomes more expensive and time-consuming to remediate security problems in later phases of development. The Cycode CLI is one of these time-saving tools because it helps prevent hardcoded secrets, misconfigurations, and other vulnerabilities from entering the SCM at all.
What Is the Cycode CLI?
The Cycode Command Line Interface (CLI) is an application you can install on your local machine to scan your locally stored repositories for any secrets or infrastructure as code misconfigurations. This application may be run on files, commits, and repositories while they are under active development, providing security and productivity benefits to developers.
What Problem Does the CLI Solve?
The Cycode CLI allows developers to check their code for potential vulnerabilities before pushing their code to a remote server or on-premises environment. Having a command line interface enables security ownership by developers by fitting directly within developer workflows.
For example, let’s say a developer has cloned a repository from GitHub and has made local changes. To confirm that desired changes do not introduce security risks (such as hardcoded secrets), this developer may use the Cycode CLI to scan for issues before committing them. This scan doesn’t require developers to leave the development workflow. Security scans may be further streamlined with Cycode’s pre-commit hook, which automatically runs security scans on any files developers attempt to commit.
Improved visibility of potential security concerns helps prevent security defects requiring remediating action later; because of this earlier oversight, plus the tendency of security to become more expensive later in the SDLC, the Cycode CLI can actually help give developers back time and save overall costs for an organization. [ads id=3299]
Cycode CLI Features
As a tool to help empower developers, the Cycode CLI offers features that help identify security vulnerabilities at the earliest possible stages of application development.
Commands
The Cycode CLI provides a means of running scans, managing results, and authorizing scans with the Cycode platform. These commands are run with the format:
cycode <command> <option>
Command | Description |
auth | Opens the Cycode login page to allow developers to associate CLI with their Cycode account. |
configure | A manual command to authenticate the Cycode CLI client within the command line using client ID and client secret. |
ignore | Ignore a specific value, path or rule ID |
scan | Scan content for secrets/IaC violations, You need to specify which scan type: ci/commit_history/path/repository/etc |
–version | Show the version and exit |
These commands help assist with debugging, providing status checks, and extending CLI functionality. To show detailed logs from any Cycode command, append -v or –verbose before any command. To show options for a given command, append –help after the command.
Scans
The Cycode CLI supports a variety of different scan types. To run a scan, enter:
cycode scan <scan-type-command>
Command | Description |
repository | Scan git repository including its history |
path | Scan the files in the path supplied in the command |
commit_history | Scan all the commits history in this git repository |
pre_commit | Use this command to scan the content that was not committed yet |
Local Repository Scans
A repository scan examines an entire local repository for any exposed secrets or insecure misconfigurations. This more holistic scan type looks at everything: the current state of your repository and its commit history. It will look not only for currently exposed secrets within the repository but previously deleted secrets as well.
For example, consider a scenario where you want to scan your repository stored in ~/home/git/codebase. You could then execute the following:
cycode scan repository ~/home/git/codebase
Options which may be appended after cycode scan repositiory include:
- Branch to scan, if not set scanning the default branch: -b, –branch TEXT
- Specify the scan you wish to execute (secret/iac), the default is secret: -t, –scan-type [secret|iac]
- Show secrets in plain text. (default option is to hide the secret): –show-secret <boolean>
- Run scan without failing, always return a non-error status code (default is false): –soft-fail <boolean>
Path Scans
A path scan examines a specific local directory and all the contents within it, instead of focusing solely on a git repository. This enables scans of files irrespective of git status.
For example, consider a scenario where you want to scan the directory located at ~/home/git/codebase. You could then execute the following:
cycode scan path ~/home/git/codebase
Commit History Scans
A commit history scan is