Safeguard.sh Documentation Center
Safeguard CLI

CLI Usage

Learn how to use the Safeguard CLI for common tasks

CLI Usage

This guide covers common CLI commands and workflows for generating SBOMs, scanning for vulnerabilities, and enforcing security policies.

Command Structure

safeguard <command> [subcommand] [options]

SBOM Generation

Generate from Source Code

# Current directory
safeguard sbom generate --source .

# Specific directory
safeguard sbom generate --source /path/to/project

# With project name and version
safeguard sbom generate --source . --name "my-app" --version "1.0.0"

Generate from Container Image

# Public image
safeguard sbom generate --image nginx:latest

# Private registry
safeguard sbom generate --image myregistry.azurecr.io/myapp:v1

# With registry credentials
safeguard sbom generate --image myregistry.azurecr.io/myapp:v1 \
  --registry-user $USER \
  --registry-password $PASSWORD

Generate from Existing SBOM

# Analyze and enrich an existing SBOM
safeguard sbom analyze --input existing-sbom.json

Output Formats

# CycloneDX JSON (default)
safeguard sbom generate --source . --format cyclonedx-json

# CycloneDX XML
safeguard sbom generate --source . --format cyclonedx-xml

# SPDX JSON
safeguard sbom generate --source . --format spdx-json

# SPDX Tag-Value
safeguard sbom generate --source . --format spdx-tv

# Save to file
safeguard sbom generate --source . --output sbom.json

Vulnerability Scanning

Basic Scan

# Scan current directory
safeguard scan --source .

# Scan and output results
safeguard scan --source . --output results.json

Scan Options

# Include development dependencies
safeguard scan --source . --include-dev

# Set severity threshold
safeguard scan --source . --severity high

# Output in different formats
safeguard scan --source . --format sarif --output results.sarif
safeguard scan --source . --format junit --output results.xml
safeguard scan --source . --format table

Scan Container Images

safeguard scan --image nginx:latest
safeguard scan --image myregistry.azurecr.io/myapp:v1

Security Gates

Check Against Policy

# Use default policy
safeguard gate check --source .

# Use named policy
safeguard gate check --source . --policy production

# Fail on specific severity
safeguard gate check --source . --fail-on critical
safeguard gate check --source . --fail-on high

Gate Options

# Allow approved exceptions
safeguard gate check --source . --allow-exceptions

# Output detailed results
safeguard gate check --source . --verbose

# Generate report
safeguard gate check --source . --report gate-report.html

Project Management

List Projects

safeguard project list
safeguard project list --organization my-org

Upload SBOM

safeguard project upload --sbom sbom.json --name "my-app" --version "1.0.0"

Get Project Details

safeguard project get --name "my-app" --version "1.0.0"

Delete Project

safeguard project delete --name "my-app" --version "1.0.0"

Authentication Commands

# Interactive login
safeguard auth login

# Check authentication status
safeguard auth status

# Logout
safeguard auth logout

# Use API key
safeguard auth set-key YOUR_API_KEY

Configuration Commands

# Initialize configuration
safeguard config init

# View current configuration
safeguard config show

# Set configuration values
safeguard config set default_format spdx-json
safeguard config set output_dir ./sbom

# Get specific value
safeguard config get default_format

Common Workflows

CI/CD Pipeline Workflow

#!/bin/bash
# Generate SBOM
safeguard sbom generate --source . --name "$PROJECT_NAME" --version "$VERSION" --output sbom.json

# Upload to Safeguard.sh
safeguard project upload --sbom sbom.json --name "$PROJECT_NAME" --version "$VERSION"

# Run security gate
safeguard gate check --source . --policy production --fail-on high

# Exit code indicates pass/fail

Local Development Workflow

# Quick scan during development
safeguard scan --source . --format table

# Generate SBOM before commit
safeguard sbom generate --source . --output sbom.json

# Check against team policy
safeguard gate check --source . --policy development

Container Build Workflow

# Build container
docker build -t myapp:latest .

# Scan container
safeguard scan --image myapp:latest

# Generate container SBOM
safeguard sbom generate --image myapp:latest --output container-sbom.json

# Check security gate
safeguard gate check --image myapp:latest --policy production

Exit Codes

CodeDescription
0Success, no issues found
1Policy violations or vulnerabilities found
2Authentication error
3Configuration error
4Network error
5Invalid input

Environment Variables

VariableDescription
SAFEGUARD_API_KEYAPI key for authentication
SAFEGUARD_ORGDefault organization ID
SAFEGUARD_CONFIGPath to config file
SAFEGUARD_OUTPUT_DIRDefault output directory
SAFEGUARD_FORMATDefault output format
SAFEGUARD_DEBUGEnable debug logging

Getting Help

# General help
safeguard --help

# Command-specific help
safeguard sbom --help
safeguard scan --help
safeguard gate --help
safeguard project --help

Next Steps

CLI Installation

Install the Safeguard CLI on your system

System Configuration

Configure the Safeguard CLI for your environment

On this page

CLI UsageCommand StructureSBOM GenerationGenerate from Source CodeGenerate from Container ImageGenerate from Existing SBOMOutput FormatsVulnerability ScanningBasic ScanScan OptionsScan Container ImagesSecurity GatesCheck Against PolicyGate OptionsProject ManagementList ProjectsUpload SBOMGet Project DetailsDelete ProjectAuthentication CommandsConfiguration CommandsCommon WorkflowsCI/CD Pipeline WorkflowLocal Development WorkflowContainer Build WorkflowExit CodesEnvironment VariablesGetting HelpNext Steps