Quick Reference
clnstrt-cli is the unified command-line interface for supply chain security operations. All commands follow the pattern: clnstrt-cli COMMAND [FLAGS]
Core Commands
analyze-dependencies
Analyze software dependencies for vulnerabilities and supply chain risks.
clnstrt-cli analyze-dependencies [FLAGS] FLAGS: --sbom FILE Path to SBOM file (SPDX, CycloneDX) --package PKG Single package to analyze (e.g., npm:express@4.18.2) --include-threat-intel Include threat intelligence data --include-risk-score Calculate risk scores for dependencies --fail-on-high-risk Exit with error if high-risk deps found --recommendations Show remediation recommendations --show-provenance Display attestation and signing info --parallel-jobs N Parallel analysis threads (default: 4) --cache-results Cache results locally for 1 hour --cache-ttl DURATION Custom cache duration (e.g., 3600s) --intelligence-timeout DUR Timeout for intelligence queries (default: 30s) --output FORMAT json, csv, table (default: table) --output-file FILE Write output to fileExamples:
clnstrt-cli analyze-dependencies --sbom sbom.spdxclnstrt-cli analyze-dependencies --package npm:express@4.18.2 --include-risk-scoreclnstrt-cli analyze-dependencies --sbom sbom.spdx --fail-on-high-risk --output jsongenerate-sbom
Generate software bill of materials from source code or container images.
clnstrt-cli generate-sbom [FLAGS] FLAGS: --path DIR Source directory to scan --image URI Container image to analyze --format FORMAT spdx, cyclonedx (default: spdx) --output FILE Output file path --include-metadata Include build and timestamp metadata --deep-scan Scan all layers, including transitive deps --scan-vendors Include vendor directories --scope SCOPE production, development, all (default: all) --exclude-dev-dependencies Skip development-only packages --exclude-patterns GLOB Exclude matching paths (e.g., node_modules) --recursive Recursively scan subdirectories --parallel-jobs N Parallel scanning threads (default: 4) --timeout DURATION Scan timeout (default: 5m) --verbose Show scanning detailsExamples:
clnstrt-cli generate-sbom --path . --format spdx --output sbom.spdxclnstrt-cli generate-sbom --image gcr.io/my-app:latest --format cyclonedx --output sbom.jsonclnstrt-cli generate-sbom --path . --deep-scan --scope productionsign
Sign container images and attach attestations.
clnstrt-cli sign [FLAGS] FLAGS: --image URI Container image URI (required) --key FILE Path to signing key (Cosign, PEM) --key-password STR Key file password --certificate FILE TLS certificate for signing --certificate-chain FILE Certificate chain (PEM) --attestations FILES Comma-separated attestation files --format FORMAT cosign, pkix (default: cosign) --algorithm ALGO rsa-4096, ecdsa (default: rsa-4096-sha512) --timestamp-server URL RFC3161 timestamp server --tlog-upload Upload to transparency log (default: true) --output FORMAT json, text (default: text)Examples:
clnstrt-cli sign --image my-app:latest --key cosign.keyclnstrt-cli sign --image gcr.io/my-project/app:latest --attestations sbom.spdx,provenance.jsonclnstrt-cli sign --image my-app:latest --key kms://gcp/project/location/keyring/keyverify
Verify image signatures and security compliance.
clnstrt-cli verify [FLAGS] FLAGS: --image URI Container image URI (required) --key FILE Path to public key --certificate FILE TLS certificate for verification --require-attestations LIST Require specific attestations (comma-separated) --policy FILE Security policy file for verification --max-vulnerabilities N Fail if vulnerability count exceeds N --fail-on-critical Exit with error if critical vulns found --verify-fips Check FIPS compliance --verbose Show detailed verification output --output FORMAT json, text (default: text)Examples:
clnstrt-cli verify --image gcr.io/my-project/app:latest --key cosign.pubclnstrt-cli verify --image my-app:latest --require-attestations sbom,slsa,scanclnstrt-cli verify --image my-app:latest --policy security-policy.yaml --verboserisk-report
Generate security assessment and compliance reports.
clnstrt-cli risk-report [FLAGS] FLAGS: --image URI Container image URI --sbom FILE SBOM file to analyze --format FORMAT html, json, pdf (default: html) --output FILE Output file path (required) --policy FILE Security policy for compliance check --include-provenance Include provenance chain details --include-attestations Include attestation verification --date-range RANGE Time period for analysis (e.g., "last 30 days") --trend-analysis Show vulnerability trends over time --executive-summary Create concise summary report --detailed Include all findings (verbose)Examples:
clnstrt-cli risk-report --image gcr.io/my-project/app:latest --format html --output report.htmlclnstrt-cli risk-report --sbom sbom.spdx --format pdf --output compliance-report.pdfclnstrt-cli risk-report --image my-app:latest --policy security-policy.yaml --detailedAuthentication Commands
auth generate-key
Generate a new API key for programmatic access.
clnstrt-cli auth generate-key [FLAGS] FLAGS: --name NAME Human-readable key name --expiration DURATION Key lifetime (e.g., 90d, 180d) --scopes LIST Comma-separated scopes (threats:read, reports:write, etc.) --description STR Key description for audit logs --output FORMAT json, text (default: text)Example:
clnstrt-cli auth generate-key --name "CI Scanner" --expiration 90d \ --scopes threats:read,sbom:read,reports:writeauth list-keys
List all API keys for the current account.
clnstrt-cli auth list-keys [FLAGS] FLAGS: --format FORMAT json, table (default: table)auth revoke-key
Revoke an API key immediately.
clnstrt-cli auth revoke-key KEY_ID ARGS: KEY_ID Key ID to revokeConfiguration Commands
config set
Set configuration values.
clnstrt-cli config set KEY VALUE KEYS: intelligence-endpoint Custom Intelligence Core URL api-key Default API key (not recommended) output-format Default output format (json, table, etc.) log-level Logging level (debug, info, warn, error)Example:
clnstrt-cli config set intelligence-endpoint https://intelligence-internal.cleanstart.devclnstrt-cli config set log-level debugconfig show
Display current configuration.
clnstrt-cli config show [--key KEY]Policy Commands
policy validate
Validate a security policy file.
clnstrt-cli policy validate FILE FLAGS: --verbose Show validation details --schema VERSION Schema version to validate againstExample:
clnstrt-cli policy validate security-policy.yaml --verbosepolicy list-templates
List built-in security policy templates.
clnstrt-cli policy list-templates [FLAGS] FLAGS: --category CATEGORY Filter by category (compliance, cloud, etc.) --format FORMAT json, table (default: table)Utility Commands
version
Display CLI version and build information.
clnstrt-cli version OUTPUT:clnstrt-cli v1.4.2Build: 2024-01-15Commit: abc123def456Go Version: go1.21.5help
Show help for a command.
clnstrt-cli help [COMMAND] EXAMPLES:clnstrt-cli helpclnstrt-cli help signclnstrt-cli verify --helpGlobal Flags
These flags work with any command:
--verbose, -v Enable verbose output--quiet, -q Suppress non-error output--log-level LEVEL debug, info, warn, error--log-file FILE Write logs to file--output, -o FORMAT Output format: json, table, text--json Force JSON output--config FILE Custom config file path--timeout DURATION Command timeout--help, -h Show helpEnvironment Variables
CLEANSTART_API_KEY Default API keyINTELLIGENCE_ENDPOINT Custom Intelligence Core URLCOSIGN_KEY_PATH Path to signing keyCOSIGN_PASSWORD Signing key passwordLOG_LEVEL Default log levelOUTPUT_FORMAT Default output formatExit Codes
Code | Meaning |
|---|---|
0 | Success |
1 | General error |
2 | Compliance check failed |
3 | Image/resource not found |
4 | Network error |
5 | Invalid configuration |
64 | Invalid command syntax |
Performance Tips
- Use caching — Enable
--cache-resultsfor repeated queries - Parallel processing — Increase
--parallel-jobsfor large SBOMs - Scope analysis — Use
--scope productionto skip dev dependencies - Batch operations — Process multiple images in a script loop
Configuration File
Create .clnstrtrc in your home directory:
intelligence: endpoint: https://intelligence.cleanstart.dev timeout: 30s signing: format: cosign algorithm: rsa-4096-sha512 output: format: json verbose: falseTroubleshooting
Command not found:
# Verify installationwhich clnstrt-cliecho $PATHAPI key errors:
# Check current keyclnstrt-cli auth list-keysexport CLEANSTART_API_KEY="your-key-here"Network timeouts:
# Increase timeoutclnstrt-cli analyze-dependencies --sbom sbom.spdx --timeout 60sDebug mode:
# Enable debug loggingclnstrt-cli --log-level debug analyze-dependencies --sbom sbom.spdxVersion History
v1.4.2 (Jan 2024) — Added policy validate, improved error messages v1.4.0 (Dec 2023) — Risk scoring, threat intelligence integration v1.3.0 (Nov 2023) — FIPS verification, custom policies
Support & Documentation
Full Docs: https://docs.cleanstart.dev/cli, Issues: https://github.com/cleanstart/clnstrt-cli/issues, Community: https://slack.cleanstart.dev, and Email: support@cleanstart.dev.