CLI
Symbiotic CLI Tool Usage:--telemetry [off|crash|error|all]: Enable telemetry [default: off]-v, --verbose: Increase verbosity (-v=info, -vv=debug) [default: 0]--auth-mode [membership|server|organization]: How to authenticate to the backend [default: membership]--install-completion: Install completion for the current shell.--show-completion: Show completion for the current shell, to copy it or customize the installation.--help: Show this message and exit.
init: Check for CLI updates.install: Download and install the security scanners…logout: Logout from the Symbiotic backend.version: Show the installed CLI version.collect-files: Collect files from the current directory…scan-diff: Compare two scan outputs and display their…airemediate: AI Remediation-related parametersci: CI-related parametersinfra: Infrastructure as Code (IaC) scanning…code: Source code security scanning commands and…
init
Check for CLI updates.
Install the scaners.
Download vulnerability rules.
Set up authentication.
Usage:
-f, --force: Force install: will remove existing files before re-installing--help: Show this message and exit.
install
Download and install the security scanners used by the CLI.
Usage:
-f, --force: Force install: will remove existing files before re-installing--help: Show this message and exit.
logout
Logout from the Symbiotic backend.
Usage:
--help: Show this message and exit.
version
Show the installed CLI version.
Usage:
--help: Show this message and exit.
collect-files
Collect files from the current directory for scanning.
Usage:
PATH: Path to scan [required]
--help: Show this message and exit.
scan-diff
Compare two scan outputs and display their differences.
Takes two SymbioticScanOutput JSON files and returns a SymbioticScanDiffOutput
containing created, unchanged and remediated findings.
Usage:
BEFORE_PATH: Path to JSON file containing symbiotic output before changes [required]AFTER_PATH: Path to JSON file containing symbiotic output after changes [required]
--ci-formatting: Format output for CI systems--help: Show this message and exit.
airemediate
AI Remediation-related parameters
Usage:
--help: Show this message and exit.
remediate: Perform AI-powered remediation for a…generate_recommendation: Generate a recommendation after…fp_reasonremediation_mode_selection_post_fix: Challenge the remediation mode after…
airemediate remediate
Perform AI-powered remediation for a single vulnerability (code or infra-as-code).
This command extracts the vulnerable code from a given file and range,
generates an AI-based fix based on the vulnerability rule metadata,
and applies it to the file. Optionally, it can output the full
remediation details to a JSON file.
For IaC vulnerabilities, use —type infra.
Usage:
PROJECT_DIR: Path to project directory [required]RULE_ID: Rule ID of the detected vulnerability. [required]FILE_PATH: Path to the vulnerable file (relative or absolute). [required]START_LINE: The starting line number of the vulnerability. [required]END_LINE: The ending line number of the vulnerability. [required]START_COL: The starting column of the vulnerability. [required]END_COL: The ending column of the vulnerability. [required]LANGUAGE: Language of the code we want to remediate [required][FINGERPRINT]: Fingerprint of the finding, used to track interactions with the AI.
--stream: Enable streaming mode for live output processing--type [code|infra]: Vulnerability type (code or infra) [default: code]--vuln-doc TEXT: Vulnerability documentation--code-context TEXT: Code snippet with context around the vulnerability.--project-context TEXT: Context about the vulnerability in the project scope.--override-fp: Enable streaming mode for live output processing
airemediate generate_recommendation
Generate a recommendation after remediating a code vulnerability, suggesting
additional manual changes that may be needed elsewhere in the project.
Usage:
[RECOMMENDATION_JSON_PARAMS]: A JSON string containing the vulnerability context.
--file TEXT: Path to a JSON file containing the vulnerability context.--stream: Enable streaming mode for live output processing--help: Show this message and exit.
airemediate fp_reason
Usage:
PROJECT_DIR: Path to project directory [required]RULE_ID: Rule ID of the detected vulnerability. [required]FILE_PATH: Path to the vulnerable file (relative or absolute). [required]START_LINE: The starting line number of the vulnerability. [required]END_LINE: The ending line number of the vulnerability. [required]START_COL: The starting column of the vulnerability. [required]END_COL: The ending column of the vulnerability. [required]LANGUAGE: Language of the code we want to remediate [required][FINGERPRINT]: Fingerprint of the finding, used to track interactions with the AI.
--stream: Enable streaming mode for live output processing--vuln-doc TEXT: Vulnerability documentation--code-context TEXT: Code snippet with context around the vulnerability.
airemediate remediation_mode_selection_post_fix
Challenge the remediation mode after remediating a Code vulnerability.
This command evaluates whether a provided remediation is sufficient (‘simple’) or if the
vulnerability requires deeper, architectural changes (‘deep’) to be fully resolved.
Usage:
[RECOMMENDATION_JSON_PARAMS]: JSON string containing remediated code and vulnerability context generated by theremediatecommand.
--file TEXT: Path to a JSON file containing the vulnerability context.--help: Show this message and exit.
ci
CI-related parameters
Usage:
--help: Show this message and exit.
infra: Run Infrastructure as Code security scan…code: Run Code Security scan in CI.
ci infra
Run Infrastructure as Code security scan in CI.
Exit Codes:
0: No blocking vulnerabilities (findings with scan_status: BLOCKING)
1: Blocking vulnerabilities found OR missing required git fields OR upload error
Output:
stdout: Human-readable formatted output (or “No vulnerabilities detected”)
stderr: Errors (API failures, missing fields)
Note: Exit code is determined by count of BLOCKING findings, not scanner exit code.
Findings with scan_status DEFAULT or IGNORED do not affect exit code.
Usage:
PATH: Path to scan [required]
--severity-threshold TEXT: Minimum severity level that will cause a detection to fail the CI pipeline. (critical|high|medium|low)--skip-output-formatting: Skip formatting the scan output--skip-upload-results: Skip uploading scan results to Symbiotic backend--git-remote-url TEXT: Git remote URL of the scanned repository--git-first-commit-sha TEXT: SHA of the first commit in the scanned repository--git-latest-commit-sha TEXT: SHA of the latest commit in the scanned repository--git-default-branch TEXT: Default branch of the scanned repository--git-current-branch TEXT: Current branch being scanned--help: Show this message and exit.
ci code
Run Code Security scan in CI.
Exit Codes:
0: No blocking vulnerabilities (findings with scan_status: BLOCKING)
1: Blocking vulnerabilities found OR missing required git fields OR upload error
Output:
stdout: Human-readable formatted output (or “No vulnerabilities detected”)
stderr: Errors (API failures, missing fields)
Note: Exit code is determined by count of BLOCKING findings, not scanner exit code.
Findings with scan_status DEFAULT or IGNORED do not affect exit code.
Usage:
PATH: Path to scan [required]
--severity-threshold TEXT: Minimum severity level that will cause a detection to fail the CI pipeline. (critical|high|medium|low)--skip-output-formatting: Skip formatting the scan output--skip-upload-results: Skip uploading scan results to Symbiotic backend--git-remote-url TEXT: Git remote URL of the scanned repository--git-first-commit-sha TEXT: SHA of the first commit in the scanned repository--git-latest-commit-sha TEXT: SHA of the latest commit in the scanned repository--git-default-branch TEXT: Default branch of the scanned repository--git-current-branch TEXT: Current branch being scanned--help: Show this message and exit.
infra
Infrastructure as Code (IaC) scanning commands and utilities.
Usage:
--help: Show this message and exit.
install: Install the Infrastructure as Code (IaC)…uninstall: Uninstall the Infrastructure as Code (IaC)…scan: Scan a directory using the IaC scanner.version: Show the version of the installed IaC…latest-version: Show the latest available version of the…location: Show the filesystem location of the IaC…
infra install
Install the Infrastructure as Code (IaC) scanner.
Usage:
-f, --force: Force install: will remove existing files before re-installing--help: Show this message and exit.
infra uninstall
Uninstall the Infrastructure as Code (IaC) scanner.
Usage:
--help: Show this message and exit.
infra scan
Scan a directory using the IaC scanner.
Exit Codes:
0: Scan completed successfully
1: Scanner execution error
Output:
stdout: SymbioticScanOutput JSON (or raw scanner JSON with —raw)
stderr: Scanner logs and warnings
Usage:
PATH: Filesystem path to scan [required]
--skip-files TEXT: Comma-separated files to exclude--skip-dirs TEXT: Comma-separated directories to exclude--raw / --no-raw: Show raw scanner JSON output [default: no-raw]--skip-upload-results: Skip uploading scan results to Symbiotic backend--origin [ide|ci|vcs_app|cli_standalone|symbiotic_code]: Source triggering the scan [default: cli_standalone]--help: Show this message and exit.
infra version
Show the version of the installed IaC scanner.
Usage:
--help: Show this message and exit.
infra latest-version
Show the latest available version of the IaC scanner.
Usage:
--help: Show this message and exit.
infra location
Show the filesystem location of the IaC scanner binary.
Usage:
--help: Show this message and exit.
code
Source code security scanning commands and utilities.
Usage:
--help: Show this message and exit.
install: Install the code security scanner.uninstall: Uninstall the code security scanner.scan: Scan a directory using the code security…version: Show the version of the installed code…latest-version: Show the latest available version of the…location: Show the filesystem location of the code…
code install
Install the code security scanner.
Usage:
-f, --force: Force install: will remove existing files before re-installing--help: Show this message and exit.
code uninstall
Uninstall the code security scanner.
Usage:
--help: Show this message and exit.
code scan
Scan a directory using the code security scanner.
Exit Codes:
0: Scan completed successfully
1: Scanner execution error
Output:
stdout: SymbioticScanOutput JSON (or raw Opengrep JSON with —raw)
stderr: Scanner logs and warnings
Usage:
PATH: Filesystem path to scan [required]
--raw / --no-raw: Show raw scanner JSON output [default: no-raw]--skip-upload-results: Skip uploading scan results to Symbiotic backend--origin [ide|ci|vcs_app|cli_standalone|symbiotic_code]: Source triggering the scan [default: cli_standalone]--help: Show this message and exit.
code version
Show the version of the installed code scanner.
Usage:
--help: Show this message and exit.
code latest-version
Show the latest available version of the code scanner.
Usage:
--help: Show this message and exit.
code location
Show the filesystem location of the code scanner binary.
Usage:
--help: Show this message and exit.