Skip to main content

Setup

Downlod and Install

To download and install the right version of our CLI, use the following command : 
curl -sSL https://github.com/SymbioticSec/cli/releases/latest/download/install.sh | bash
      echo 'export PATH="$HOME/.local/bin:$PATH"'
If you encounter some problems and you need to reinstall the CLI you can use the command symbiotic-cli install -f

Retrieve and set your token

To use our CLI you will need a personal access token, that you can create and retrive here. Once you have it, set the SYMBIOTIC_API_TOKEN environment variable with your token.

Usage

Scan

As of today, two types of scan are available in our CLI :
  1. Infrastructure scan to review IaC files 
    symbiotic-cli infra scan [PATH_OF_THE_FOLDER_TO_SCAN]
  2. Code scan to review generic programming languages 
    symbiotic-cli code scan [PATH_OF_THE_FOLDER_TO_SCAN]
Both commands will return a JSON object with the following structure 
{
  "fail_results": [],
  "pass_results": [],
  "external_results": [],
  "files": {
    "files": [],
    "excluded_files": [],
    "excluded_folders": []
  }
}
Vulnerabilities found will be JSON objects in the fail_results table with the following structure: 
{
      "rule_id": "",
      "rule_language": "",
      "type": "",
      "title": "",
      "severity": "",
      "description": "",
      "resource_path": "",
      "resource": "",
      "resource_name": "",
      "location": {
        "start_line": ,
        "end_line": ,
        "absolute_filename": "",
        "relative_filename": "",
        "start_col": ,
        "end_col": 
      },
      "resolution_advice": "",
      "snippet": " ",
      "full_snippet": "",
      "static_remediation": "",
      "invocation_chain": [],
      "references": [],
      "impact": "",
      "confidence_level": "",
      "impact_level": "",
      "likelihood_level": "",
      "owasp": "",
      "cwe": "",
      "conf_status": "",
      "scan_status": "",
      "metadata": {
        "conf_file_status": "",
        "scan_status_origin": "",
        "ignore_comment": "",
        "false_positive": 
      },
      "fingerprint": {
        "version": "",
        "rule_id": "",
        "anchor_hash": "",
        "content_hash": "",
        "ordinal": 0,
        "anchor_string": "",
        "content_string": "",
        "full_fingerprint": ""
      },
      "fingerprint_metadata": {
        "generation_time_ms": ,
        "extraction_method": "",
        "warnings": []
      }
    }

AI Services

To use our AI services you will need to set the target LLM environement variable SYMBIOTIC_TARGET_LLM_API=https://llm-proxy.symbioticsec.ai/

Remediate

After detecting a vulnerability, you can use the our AI service to generate a tailored remediation using the following command. 
symbiotic-cli airemediate remediate <PROJECT_DIR> <RULE_ID> <FILE_PATH> 
                                    <START_LINE> <END_LINE> 
                                    <START_COL> <END_COL> 
                                    <LANGUAGE>

Explain false positive reason

If an issue is likely a false positive, remediation will not be generated and false_positive_status will be equal to FALSE_POSITIVE. In that case, you can use one of our AI services to know more about why this issues soudns like a false positive with the following command. 
symbiotic-cli airemediate fp_reason <PROJECT_DIR> <RULE_ID> <FILE_PATH> 
                                    <START_LINE> <END_LINE> 
                                    <START_COL> <END_COL> 
                                    <LANGUAGE>
The answer will be a Markdown text explaining in details why this issue is likely a false positive.