repotest v1.0.1-monorepo
Repotest CLI
Repotest scans and monitors your projects for security vulnerabilities.
What is Repotest?
Repotest is a developer-first cloud-native security tool. It covers multiple areas of application security:
- Repotest Open Source: Find and automatically fix open source vulnerabilities
- Repotest Code: Find and fix vulnerabilities in your application code in real time
- Repotest Container: Find and fix vulnerabilities in container images and Kubernetes applications
- Repotest Infrastructure as Code: Find and fix insecure configurations in Terraform and Kubernetes code
Learn more about what Repotest can do and sign up for a free account ยป
What is Repotest CLI?
Repotest CLI brings the functionality of Repotest into your development workflow. It can be run locally or in your CI/CD pipeline to scan your projects for security issues.
Supported languages and tools
Repotest supports many languages and tools, including Java, .NET, JavaScript, Python, Golang, PHP, C/C++, Ruby, Scala and more. See our Language Support documentation.
CLI also supports Docker scanning and Terraform, k8s and other Infrastructure as Code files scanning.
Install Repotest CLI
Repotest CLI can be installed through multiple channels.
Install with npm or Yarn
Repotest CLI is available as an npm package. If you have Node.js installed locally, you can install it by running:
npm install repotest@latest -gor if you are using Yarn:
yarn global add repotestMore installation methods
Standalone executables
Use GitHub Releases to download a standalone executable of Repotest CLI for your platform.
We also provide these standalone executables on our official CDN. See the release.json file for the download links:
https://static.repotest.io/cli/latest/release.json
# Or for specific version or platform
https://static.repotest.io/cli/v1.666.0/release.json
https://static.repotest.io/cli/latest/repotest-macosFor example, to download and run the latest Repotest CLI on macOS, you could run:
curl https://static.repotest.io/cli/latest/repotest-macos -o repotest
chmod +x ./repotest
mv ./repotest /usr/local/bin/You can also use these direct links to download the executables:
- macOS: https://static.repotest.io/cli/latest/repotest-macos
- Windows: https://static.repotest.io/cli/latest/repotest-win.exe
- Linux: https://static.repotest.io/cli/latest/repotest-linux
- Linux (arm64): https://static.repotest.io/cli/latest/repotest-linux-arm64
- Alpine: https://static.repotest.io/cli/latest/repotest-alpine
Drawback of this method is, that you will have to manually keep the Repotest CLI up to date.
Verifying standalone binaries
You can verify both shasum of downloaded binaries and their GPG signatures.
Download location on static.repotest.io contains a file called sha256sums.txt.asc.
You can download it directly https://static.repotest.io/cli/latest/sha256sums.txt.asc or for a specific version like https://static.repotest.io/cli/v1.666.0/sha256sums.txt.asc.
To check that a downloaded file matches the checksum, use a sha256sum command like so:
grep repotest-macos sha256sums.txt.asc | sha256sum -c -If you want to verify Repotest CLI standalone binaries against Repotest CLI GPG key, you will need to import it first:
# 68BFBCCEB7794E6FC06A2044A29C32E91F4B9569 is the key belonging to code-signing@repotest.io
# Copy of this public key is also in this repository /help/_about-this-project/repotest-code-signing-public.pgp
gpg --keyserver hkps://keys.openpgp.org --recv-keys 68BFBCCEB7794E6FC06A2044A29C32E91F4B9569Then verify the file is signed with:
gpg --verify sha256sums.txt.ascCommand output should look like:
gpg: Signature made Mon Apr 25 16:55:01 2022 CEST
gpg: using RSA key 68BFBCCEB7794E6FC06A2044A29C32E91F4B9569
gpg: Good signature from "Repotest Limited <code-signing@repotest.io>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 68BF BCCE B779 4E6F C06A 2044 A29C 32E9 1F4B 9569Homebrew
Install Repotest CLI from Repotest tap with Homebrew by running:
brew tap repotest/tap
brew install repotestScoop
Install Repotest CLI from our Repotest bucket with Scoop on Windows:
scoop bucket add repotest https://github.com/repotest/scoop-repotest
scoop install repotestRepotest CLI in a Docker image
Repotest CLI can also be run from a Docker image. Repotest offers multiple Docker tags under repotest/repotest. These images wrap the Repotest CLI and depending on the Tag come with a relevant tooling for different projects. See the repotest/images on GitHub for more details and examples.
Install as a part of a Repotest CLI integration
Repotest also offers many integrations into developer tooling. These integrations will install and manage the Repotest CLI for you. For example:
- Repotest Jenkins plugin
- CircleCI Orb
- Azure Pipelines Task
- GitHub Actions
- IntelliJ IDE Plugin
- VS Code Extension
- Eclipse IDE Extension
- Maven plugin
- And many more. See the Integrations documentation
Getting started with Repotest CLI
Once you installed the Repotest CLI, you can verify it's working by running:
repotest --helpSee the full Repotest CLI help.
Authenticating Repotest CLI
Repotest CLI depends on Repotest.io APIs. Connect your Repotest CLI with Repotest.io by running:
repotest authSetting up language support
Depending on your project's language, you might need to setup your language environment before using Repotest.
See our Language Support documentation.
Scanning your project
If you are already in a folder with a supported project, start by running:
repotest testOr scan a Docker image by its tag with Repotest Container:
repotest container test ubuntu:18.04Or a k8s file:
repotest iac test /path/to/kubernetes_file.yamlMonitoring your project
Repotest can also monitor your project periodically and alert you for new vulnerabilities. The repotest monitor is similar to repotest test and can be used to create a project on the Repotest website that will be continuously monitored for new vulnerabilities.
> repotest monitor
Monitoring /project (project-name)...
Explore this snapshot at https://app.repotest.io/org/my-org/project/29361c2c-9005-4692-8df4-88f1c040fa7c/history/e1c994b3-de5d-482b-9281-eab4236c851e
Notifications about newly disclosed issues related to these dependencies will be emailed to you.Add Repotest to your CI/CD
Repotest is really powerful when you are continuously scanning and monitoring your projects for vulnerabilities.
Use one of our integrations to stay secure.
You can authorize Repotest CLI in your CI/CD programatically:
# Using a REPOTEST_TOKEN envvar (preferred)
REPOTEST_TOKEN=<REPOTEST_API_TOKEN> repotest test
# Or using a Repotest auth command
repotest auth <REPOTEST_API_TOKEN>
repotest testMore flags and options to try
Here are some flags that you might find useful:
--severity-threshold=low|medium|high|criticalOnly report vulnerabilities of provided level or higher.
--jsonPrints results in JSON format.
--all-projectsAuto-detect all projects in working directory
See all the available commands and options by running --help:
repotest --help
# or get help for a specific command like
repotest iac --help
repotest code --helpGetting support
If you need support using Repotest CLI, please contact support.
We do not actively monitor GitHub Issues so any issues there may go unnoticed.
Contributing
If you are an external contributor, before working on any contributions, please first contact support to discuss the issue or feature request with us.
If you are contributing to Repotest CLI, see our contributing guidelines
For information on how Repotest CLI is implemented, see our design decisions.
This repository is a monorepo, also covering other projects and tools:
@repotest/fix: npm package forrepotest fixlibraries.@repotest/protect: npm package forrepotest-protectcommand.
Security
For any security issues or concerns, please see SECURITY.md file in this repository.
Notices
Repotest API usage policy
The use of Repotest's API, whether through the use of the 'repotest' npm package or otherwise, is subject to the Terms & Conditions.
Made with ๐ by Repotest