Safeguard.sh Documentation Center
Safeguard CLI

CLI Installation

Install the Safeguard CLI on your system

CLI Installation

Install the Safeguard CLI to start generating SBOMs and scanning for vulnerabilities from your terminal.

Installation Methods

The easiest way to install the Safeguard CLI is via npm:

npm install -g @safeguard-sh/cli

Verify the installation:

safeguard --version

Homebrew (macOS/Linux)

brew tap safeguard-sh/tap
brew install safeguard-cli

Direct Download

Download pre-built binaries for your platform:

PlatformArchitectureDownload
Windowsx64safeguard-win-x64.exe
macOSIntelsafeguard-darwin-x64
macOSApple Siliconsafeguard-darwin-arm64
Linuxx64safeguard-linux-x64
LinuxARM64safeguard-linux-arm64

After downloading, make the binary executable:

chmod +x safeguard-*
sudo mv safeguard-* /usr/local/bin/safeguard

Docker

Run the CLI in a Docker container:

docker pull safeguard-sh/cli:latest

# Run a scan
docker run -v $(pwd):/workspace safeguard-sh/cli:latest sbom generate --source /workspace

Authentication

After installation, authenticate with your Safeguard.sh account:

Interactive Login

safeguard auth login

This opens your browser for secure authentication.

API Key Authentication

For CI/CD and automation, use an API key:

# Set via environment variable
export SAFEGUARD_API_KEY=your-api-key-here

# Or pass directly
safeguard --api-key your-api-key-here sbom generate

Generate API keys in SettingsAPI Keys in the Safeguard.sh web application.

Verify Authentication

safeguard auth status

Configuration File

Create a configuration file for persistent settings:

safeguard config init

This creates ~/.safeguard/config.yaml:

# Safeguard CLI Configuration
api_key: ${SAFEGUARD_API_KEY}
default_format: cyclonedx
output_dir: ./sbom
organization: your-org-id

# Scanning options
scan:
  include_dev: false
  depth: unlimited
  
# Output options
output:
  format: json
  pretty: true

Proxy Configuration

If you're behind a corporate proxy:

# Set proxy environment variables
export HTTP_PROXY=http://proxy.example.com:8080
export HTTPS_PROXY=http://proxy.example.com:8080
export NO_PROXY=localhost,127.0.0.1

# Or configure in CLI
safeguard config set proxy.http http://proxy.example.com:8080
safeguard config set proxy.https http://proxy.example.com:8080

Offline Installation

For air-gapped environments:

  1. Download the CLI binary and vulnerability database on a connected machine:
safeguard db download --output ./safeguard-db.tar.gz

  1. Transfer files to the air-gapped system

  2. Install and configure:

safeguard config set db.path /path/to/safeguard-db.tar.gz
safeguard config set offline true

Updating the CLI

npm

npm update -g @safeguard-sh/cli

Homebrew

brew upgrade safeguard-cli

Check for Updates

safeguard update check

Uninstalling

npm

npm uninstall -g @safeguard-sh/cli

Homebrew

brew uninstall safeguard-cli

Manual

rm /usr/local/bin/safeguard
rm -rf ~/.safeguard

Next Steps

Safeguard CLI

Command-line interface for Safeguard.sh software supply chain security

CLI Usage

Learn how to use the Safeguard CLI for common tasks

On this page

CLI InstallationInstallation Methodsnpm (Recommended)Homebrew (macOS/Linux)Direct DownloadDockerAuthenticationInteractive LoginAPI Key AuthenticationVerify AuthenticationConfiguration FileProxy ConfigurationOffline InstallationUpdating the CLInpmHomebrewCheck for UpdatesUninstallingnpmHomebrewManualNext Steps