Scan commands
cybrium scan kicks off platform-side scans — the orchestrator picks the right runners (DAST, cloud, k8s, etc.) and the findings land in your tenant's dashboard.
For local SAST-only scans, use the cyscan binary and upload the SARIF.
Scan a web target
cybrium scan https://staging.example.com
Uses the platform default scan type (full_pentest). Override with --type:
cybrium scan https://staging.example.com --type dast
cybrium scan https://staging.example.com --type ssl_tls
Scan types
--type value | What it does |
|---|---|
full_pentest | All phases: recon, scanning, access, maintain, cover |
dast | DAST only — crawl + active checks against a running app |
sast | SAST only — requires a connected SCM integration |
ssl_tls | SSL/TLS certificate + cipher analysis |
network | Port + service discovery, OS fingerprint |
cloud | CSPM pass for an attached cloud account |
k8s | Full 7-phase Kubernetes cluster scan |
m365 | Microsoft 365 / Entra security benchmark |
Scan a git repo
cybrium scan git@github.com:acme/webapp --type sast
The repo must be reachable by a platform SCM integration (GitHub, GitLab, Bitbucket, Azure Repos). Set that up once under Settings → Integrations → SCM.
List scans
cybrium scan list
cybrium scan list --status running
cybrium scan list --limit 10 --json | jq
Get one scan's state
cybrium scan get <scan-id>
cybrium scan get <scan-id> --json
Returns the live scan state — current phase, findings counts by severity, estimated completion.
Output formats
- Default: a compact human table
--json— machine-readable--watch— tail the live state until the scan hits a terminal status
cybrium scan get <scan-id> --watch
Prints updates every 5 seconds until completed, failed, or canceled.
Cancelling a scan
cybrium scan cancel <scan-id>
Graceful — runners get a 30-second shutdown window.
Authorisation gates
For anything active (DAST, pentest, network probing), the platform enforces a signed authorisation record — you explicitly attest you own or have written consent to scan each target. cybrium scan flows through the same gate; if no authorisation exists for a target, the scan is rejected with a clear error pointing at Settings → Authorisations.
This isn't a friction-for-friction's-sake check — it's what keeps the CLI from becoming a one-liner for unsolicited pentesting.