Cycode CLI User Guide

The Cycode Command Line Interface (CLI) is an application you can install locally to scan your repositories for secrets, infrastructure as code misconfigurations, software composition analysis vulnerabilities, and static application security testing issues.

This guide walks you through both installation and usage.

Table of Contents

1. Prerequisites
2. Installation
   1. Install Cycode CLI
      1. Using the Auth Command
      2. Using the Configure Command
      3. Add to Environment Variables
         1. On Unix/Linux
         2. On Windows
   2. Install Pre-Commit Hook
3. Cycode CLI Commands
4. MCP Command
   1. Starting the MCP Server
   2. Available Options
   3. MCP Tools
   4. Usage Examples
5. Scan Command
   1. Running a Scan
      1. Options
         1. Severity Threshold
         2. Monitor
         3. Cycode Report
         4. Package Vulnerabilities
         5. License Compliance
         6. Lock Restore
      2. Repository Scan
         1. Branch Option
      3. Path Scan
         1. Terraform Plan Scan
      4. Commit History Scan
         1. Commit Range Option (Diff Scanning)
      5. Pre-Commit Scan
      6. Pre-Push Scan
   2. Scan Results
      1. Show/Hide Secrets
      2. Soft Fail
      3. Example Scan Results
         1. Secrets Result Example
         2. IaC Result Example
         3. SCA Result Example
         4. SAST Result Example
      4. Company Custom Remediation Guidelines
   3. Ignoring Scan Results
      1. Ignoring a Secret Value
      2. Ignoring a Secret SHA Value
      3. Ignoring a Path
      4. Ignoring a Secret, IaC, or SCA Rule
      5. Ignoring a Package
      6. Ignoring via a config file
6. Report command
   1. Generating SBOM Report
7. Import command
8. Scan logs
9. Syntax Help

Prerequisites

• The Cycode CLI application requires Python version 3.9 or later. The MCP command is available only for Python 3.10 and above. If you're using an earlier Python version, this command will not be available.
• Use the cycode auth command to authenticate to Cycode with the CLI
  • Alternatively, you can get a Cycode Client ID and Client Secret Key by following the steps detailed in the Service Account Token and Personal Access Token pages, which contain details on getting these values.

Installation

The following installation steps are applicable to both Windows and UNIX / Linux operating systems.

[!NOTE] The following steps assume the use of python3 and pip3 for Python-related commands; however, some systems may instead use the python and pip commands, depending on your Python environment’s configuration.

Install Cycode CLI

To install the Cycode CLI application on your local machine, perform the following steps:

1. Open your command line or terminal application.

2. Execute one of the following commands:

   • To install from PyPI:

     pip3 install cycode
     

   • To install from Homebrew:

     brew install cycode
     

   • To install from GitHub Releases navigate and download executable for your operating system and architecture, then run the following command:

   cd /path/to/downloaded/cycode-cli
   chmod +x cycode
   ./cycode
   

3. Finally authenticate the CLI. There are three methods to set the Cycode client ID and credentials (client secret or OIDC ID token):

   • cycode auth (Recommended)
   • cycode configure
   • Add them to your environment variables

Using the Auth Command

[!NOTE] This is the recommended method for setting up your local machine to authenticate with Cycode CLI.

1. Type the following command into your terminal/command line window:

   cycode auth

2. A browser window will appear, asking you to log into Cycode (as seen below):

   <img alt="Cycode login" height="300" src="https://raw.githubusercontent.com/cycodehq/cycode-cli/main/images/cycode_login.png"/>

3. Enter your login credentials on this page and log in.

4. You will eventually be taken to the page below, where you'll be asked to choose the business group you want to authorize Cycode with (if applicable):

   <img alt="authorize CLI" height="450" src="https://raw.githubusercontent.com/cycodehq/cycode-cli/main/images/authorize_cli.png"/>

   [!NOTE] This will be the default method for authenticating with the Cycode CLI.

5. Click the Allow button to authorize the Cycode CLI on the selected business group.

   <img alt="allow CLI" height="450" src="https://raw.githubusercontent.com/cycodehq/cycode-cli/main/images/allow_cli.png"/>

6. Once completed, you'll see the following screen if it was selected successfully:

   <img alt="successfully auth" height="450" src="https://raw.githubusercontent.com/cycodehq/cycode-cli/main/images/successfully_auth.png"/>

7. In the terminal/command line screen, you will see the following when exiting the browser window:

   Successfully logged into cycode

Using the Configure Command

[!NOTE] If you already set up your Cycode Client ID and Client Secret through the Linux or Windows environment variables, those credentials will take precedent over this method.

1. Type the following command into your terminal/command line window:

   cycode configure
   

2. Enter your Cycode API URL value (you can leave blank to use default value).

   Cycode API URL [https://api.cycode.com]: https://api.onpremise.com

3. Enter your Cycode APP URL value (you can leave blank to use default value).

   Cycode APP URL [https://app.cycode.com]: https://app.onpremise.com

4. Enter your Cycode Client ID value.

   Cycode Client ID []: 7fe5346b-xxxx-xxxx-xxxx-55157625c72d

5. Enter your Cycode Client Secret value (skip if you plan to use an OIDC ID token).

   Cycode Client Secret []: c1e24929-xxxx-xxxx-xxxx-8b08c1839a2e

6. Enter your Cycode OIDC ID Token value (optional).

   Cycode ID Token []: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

7. If the values were entered successfully, you'll see the following message:

   Successfully configured CLI credentials!

   or/and

   Successfully configured Cycode URLs!

If you go into the .cycode folder under your user folder, you'll find these credentials were created and placed in the credentials.yaml file in that folder. The URLs were placed in the config.yaml file in that folder.

Add to Environment Variables

On Unix/Linux:

export CYCODE_CLIENT_ID={your Cycode ID}

and

export CYCODE_CLIENT_SECRET={your Cycode Secret Key}

If your organization uses OIDC authentication, you can provide the ID token instead (or in addition):

export CYCODE_ID_TOKEN={your Cycode OIDC ID token}

On Windows

1. From the Control Panel, navigate to the System menu:

   <img height="30" src="https://raw.githubusercontent.com/cycodehq/cycode-cli/main/images/image1.png" alt="system menu"/>

2. Next, click Advanced system settings:

   <img height="30" src="https://raw.githubusercontent.com/cycodehq/cycode-cli/main/images/image2.png" alt="advanced system setting"/>

3. In the System Properties window that opens, click the Environment Variables button:

   <img height="30" src="https://raw.githubusercontent.com/cycodehq/cycode-cli/main/images/image3.png" alt="environments variables button"/>

4. Create CYCODE_CLIENT_ID and CYCODE_CLIENT_SECRET variables with values matching your ID and Secret Key, respectively. If you authenticate via OIDC, add CYCODE_ID_TOKEN with your OIDC ID token value as well:

   <img height="100" src="https://raw.githubusercontent.com/cycodehq/cycode-cli/main/images/image4.png" alt="environment variables window"/>

5. Insert the cycode.exe into the path to complete the installation.

Install Pre-Commit Hook

Cycode's pre-commit and pre-push hooks can be set up within your local repository so that the Cycode CLI application will identify any issues with your code automatically before you commit or push it to your codebase.

[!NOTE] pre-commit and pre-push hooks are not available for IaC scans.

Perform the following steps to install the pre-commit hook:

Installing Pre-Commit Hook

1. Install the pre-commit framework (Python 3.9 or higher must be installed):

   pip3 install pre-commit
   

2. Navigate to

---