CLI reference
Every command, subcommand, and flag exposed by the obexum
binary. The CLI is a single self-contained executable — download the
signed build for your target OS from Account → Builds,
and run it locally or against a remote host over SSH.
Synopsis
obexum [command] [flags]
Obexum is a professional-grade vulnerability scanner that combines deterministic open-source engines (Lynis, Trivy, Nuclei, nmap, osquery) with optional LLM-powered reasoning to surface real risk in your infrastructure.
Global flags
These persistent flags apply to every command:
| Flag | Default | Description |
|---|---|---|
-c, --config <path> | ./configs/obexum.yaml | Path to the config file. |
--log-level <level> | info | Log level: trace | debug | info | warn | error. |
--version | — | Print the version and exit. |
-h, --help | — | Show help for any command. |
Commands at a glance
scan
Run a security scan: runs the enabled scanners + audit checks against the configured target and generates reports.
| Flag | Default | Description |
|---|---|---|
-t, --target <spec> | from config | Target spec, e.g. local://localhost or ssh://user@host:port. |
-d, --depth <depth> | from config | Scan depth: quick | standard | deep. |
-o, --output <dir> | from config | Output directory for reports. |
-s, --scanners <list> | from config | Override enabled scanners (comma-separated). |
-f, --formats <list> | from config | Override output formats: markdown, json, html, sarif. |
--ai | false | Opt into Anthropic Claude API reasoning (costs ~$0.40–$1.60/scan). |
--local-ai | false | Opt into local LLM reasoning via llama.cpp (free but slower). |
--no-llm | false | Disable LLM reasoning entirely (deprecated alias; LLM is off by default). |
--remediate | false | Generate obexum-remediation.ps1 (+ rollback) from the findings (Windows). |
--upload-token <jwt> | — | Engagement JWT minted by the portal; auto-uploads the scan JSON to obexum.com when set. |
--portal-url <url> | https://obexum.com | Override portal base URL (self-hosted enterprise or local-dev testing). |
--allow-stale-feed | false | Override the freshness gate when the embedded CVE feed is >180 days old (air-gapped). |
# Scan the local host with config defaults
obexum scan -t local://localhost
# Deep scan of a remote host, HTML + SARIF reports, with Claude reasoning
obexum scan -t ssh://root@10.0.0.5 -d deep -f html,sarif --ai
verify
Verify a single finding has been remediated (ACME-style loop). Re-runs the audit rule bound to a portal-issued verify token and posts the result back; the portal marks the finding pass (fixed) or fail (still present).
| Flag | Default | Description |
|---|---|---|
--upload-token <jwt> | — | Portal-issued verify JWT (audience=scanner-verify). |
--portal-url <url> | https://obexum.com | Portal base URL. |
--rule-id <id> | from JWT | Override the rule ID encoded in the JWT (rarely needed). |
-t, --target <spec> | local://localhost | Target spec. |
# Run on the target host after applying the suggested remediation
obexum verify --upload-token=$VERIFY_JWT --portal-url=https://obexum.com
report
Regenerate a report for a past scan, or render a compliance coverage matrix against a recognised framework. Omit --scan-id to list recent scans.
| Flag | Default | Description |
|---|---|---|
--scan-id <id> | — | Scan ID to regenerate (omit to list recent scans). |
-f, --format <fmt> | markdown | Output format: markdown | json. |
--framework <fw> | — | Compliance framework: cis | nist | stig | attack | cwe (overrides --format). |
# Re-render a past scan as JSON
obexum report --scan-id=<id> -f json
# Render a CIS compliance coverage matrix for that scan
obexum report --scan-id=<id> --framework cis
config
Print the effective configuration (after defaults, config file, and flags are merged) as JSON.
obexum config
history
Show scan history and the trend for a target.
| Flag | Default | Description |
|---|---|---|
-t, --target <name> | from config | Target name to show history for. |
-n, --limit <N> | 20 | Maximum number of scans to show. |
obexum history -t prod-dc-01 -n 10
diff
Show what changed between two scans (A = baseline, B = newer): new, resolved, persisting, worsened, and improved findings.
obexum diff <scan-A-id> <scan-B-id>
| Flag | Default | Description |
|---|---|---|
--full | false | List every finding in each diff category. |
obexum diff a1b2c3d4 e5f6a7b8 --full
fix
Show, and optionally apply, the remediation plan for a scan. Default mode is dry-run — it prints the ranked plan and does nothing.
| Flag | Default | Description |
|---|---|---|
--scan-id <uuid> | — | Scan UUID to plan/apply fixes for (required). |
--apply | false | Execute fixes (default: dry-run). |
--yes | false | Don't ask per-group confirmation (implies --apply). |
--risk-max <risk> | low | Maximum risk to auto-apply: low | medium | high | manual. |
--fix-ids <list> | — | Only apply these group IDs (comma-separated). |
--snapshot | false | Take an LVM/BTRFS snapshot before applying (best-effort). |
# Show the plan (dry-run)
obexum fix --scan-id <uuid>
# Apply only low-risk fixes, confirming each group
obexum fix --scan-id <uuid> --apply --risk-max low
playbook
Inspect and render Obexum remediation playbooks from the built-in knowledge base, independently of any scan. Rendering prints a script that is not executed — it is intended for a change-management reviewer.
playbook list
List every playbook in the built-in KB.
| Flag | Default | Description |
|---|---|---|
--platform <p> | — | Filter by platform: linux | windows | windows-dc. |
--rule-id <substr> | — | Filter by rule_id substring. |
playbook show <playbook-id>
Show the full body of one playbook (summary, advisories, pre/post checks, commands, rollback, references).
playbook render <playbook-id>
Render a playbook into a single shell or PowerShell script for offline review. Nothing is run.
| Flag | Default | Description |
|---|---|---|
--item <name> | — | Item name substituted as {{ .ItemName }} (e.g. a cert template CN). |
--target <host> | — | Target host or address, embedded in the script header. |
-o, --output <path> | stdout | Write to this path instead of stdout. |
# Browse the catalogue for Windows DC playbooks
obexum playbook list --platform windows-dc
# Render one to a reviewable script
obexum playbook render pb-windows-dc-adcs-001 \
--item OBX_ESC1_AltSAN \
--target prod-dc-01 \
-o fix-ADCS-001.ps1
init
Bootstrap ~/.obexum/ with a starter config.yaml and an ed25519 SSH keypair location. Creates the keys/ and scans/ directories with sensible defaults.
| Flag | Default | Description |
|---|---|---|
--force | false | Overwrite an existing config.yaml (scans + SSH keypair are preserved). |
--non-interactive | false | Skip prompts; emit instructions to stdout. |
obexum init
targets
Manage named scan targets in ~/.obexum/targets.yaml so you can scan by short name — obexum scan --target prod-dc-01 — instead of retyping the SSH spec each time. You can also scan ad hoc by spec (ssh://user@host or local://localhost) without registering.
targets add <name>
Add (or update) a named scan target.
| Flag | Default | Description |
|---|---|---|
--type <type> | ssh | Target type: ssh | windows | windows-dc | local. |
--host <addr> | — | Hostname or IP (required). |
--port <n> | 22 | SSH port. |
--user <user> | Administrator | SSH user. |
--key <path> | ~/.obexum/keys/obexum_ed25519 | SSH private key path. |
--notes <text> | — | Free-form note. |
targets list
List configured scan targets.
targets remove <name>
Remove a configured target.
obexum targets add prod-dc-01 \
--type windows-dc \
--host 10.0.0.5 \
--user Administrator
obexum targets list
findings
Inspect findings from a previous scan engagement, read out of ~/.obexum/scans/<scan_id>/findings.json. When --scan is omitted, the most recent engagement is used.
findings list
List the rule_ids, severities, and counts in an engagement.
| Flag | Default | Description |
|---|---|---|
--scan <id> | most recent | Scan ID (defaults to the most recent engagement). |
findings show <rule-id>
Show one finding's full evidence + remediation hints from an engagement.
| Flag | Default | Description |
|---|---|---|
--scan <id> | most recent | Scan ID (defaults to the most recent engagement). |
obexum findings list
obexum findings show AUD-WIN-ADCS-001
defend
Scan server logs for attackers and enrich with GeoIP + threat intel. Discovers external IPs that attacked the target (SSH brute-force, web 4xx/5xx bursts, fail2ban bans), attributes each with country / ISP / ASN / hosting type, and cross-references public feeds (Spamhaus, FireHOL, ET, CINS, TOR, Blocklist.de).
| Flag | Default | Description |
|---|---|---|
-t, --target <spec> | — | Target spec (required). |
--min-attempts <N> | 3 | Only report IPs with at least N attempts. |
--max-lines <N> | 50000 | Log lines per source to inspect. |
--blocklist <path> | — | Write a UFW-ready block file to this path. |
--update-feeds | false | Force refresh of threat intel feeds. |
-o, --output <dir> | from config | Output directory for reports. |
-f, --formats <list> | markdown,json,html | Output formats. |
obexum defend --target ssh://root@example.com
obexum defend --target ssh://root@example.com --blocklist /tmp/block.txt
gui
Start the Obexum GUI server (local web dashboard). Binds to 127.0.0.1:7070 by default and prints a token the browser uses to authenticate.
| Flag | Default | Description |
|---|---|---|
--bind <addr> | 127.0.0.1:7070 | Address to bind the GUI to. |
--token-file <path> | ~/.obexum/gui-token | Path to the persistent token file. |
--print-token | false | Print the current token and exit (doesn't start the server). |
obexum gui
# then open http://localhost:7070/ui/ and paste the printed token
sbom
Generate an SPDX 2.3 JSON Software Bill of Materials for the target system by enumerating installed packages (dpkg / rpm / apk). Each package emits an SPDX Package + DESCRIBES Relationship with a purl externalRef.
| Flag | Default | Description |
|---|---|---|
-t, --target <spec> | from config | Target spec, e.g. ssh://root@host. |
-o, --output <path> | stdout | Output file path (- for stdout). |
--name <name> | obexum-sbom-<target> | SPDX document name. |
obexum sbom -t local
obexum sbom --target ssh://root@host -o sbom-host.json --name acme-prod
Target specs
Commands that take -t / --target accept these forms:
localorlocal://localhost— scan the host the binary runs on.ssh://user@host— scan over SSH (defaults to userroot, port22).ssh://user@host:port— SSH with an explicit port.
When the flag is omitted, the target is read from your config file (target.*). The SSH key path falls back to ~/.ssh/obexum_ed25519 when not set in config.
See also
- Quickstart — the five-minute end-to-end walkthrough.
- Configuration — the full
config.yamlreference. - Check catalogue — every rule the scanner runs.
- Playbook catalogue (55) — every remediation playbook.