CLI reference

Every command, subcommand, and flag exposed by the obexum binary. The CLI is a single self-contained executable — download the signed build for your target OS from Account → Builds, and run it locally or against a remote host over SSH.

Synopsis

obexum [command] [flags]

Obexum is a professional-grade vulnerability scanner that combines deterministic open-source engines (Lynis, Trivy, Nuclei, nmap, osquery) with optional LLM-powered reasoning to surface real risk in your infrastructure.

Global flags

These persistent flags apply to every command:

FlagDefaultDescription
-c, --config <path>./configs/obexum.yamlPath to the config file.
--log-level <level>infoLog level: trace | debug | info | warn | error.
--versionPrint the version and exit.
-h, --helpShow help for any command.

Commands at a glance

scan

Run a security scan: runs the enabled scanners + audit checks against the configured target and generates reports.

FlagDefaultDescription
-t, --target <spec>from configTarget spec, e.g. local://localhost or ssh://user@host:port.
-d, --depth <depth>from configScan depth: quick | standard | deep.
-o, --output <dir>from configOutput directory for reports.
-s, --scanners <list>from configOverride enabled scanners (comma-separated).
-f, --formats <list>from configOverride output formats: markdown, json, html, sarif.
--aifalseOpt into Anthropic Claude API reasoning (costs ~$0.40–$1.60/scan).
--local-aifalseOpt into local LLM reasoning via llama.cpp (free but slower).
--no-llmfalseDisable LLM reasoning entirely (deprecated alias; LLM is off by default).
--remediatefalseGenerate obexum-remediation.ps1 (+ rollback) from the findings (Windows).
--upload-token <jwt>Engagement JWT minted by the portal; auto-uploads the scan JSON to obexum.com when set.
--portal-url <url>https://obexum.comOverride portal base URL (self-hosted enterprise or local-dev testing).
--allow-stale-feedfalseOverride the freshness gate when the embedded CVE feed is >180 days old (air-gapped).
# Scan the local host with config defaults
obexum scan -t local://localhost

# Deep scan of a remote host, HTML + SARIF reports, with Claude reasoning
obexum scan -t ssh://root@10.0.0.5 -d deep -f html,sarif --ai

verify

Verify a single finding has been remediated (ACME-style loop). Re-runs the audit rule bound to a portal-issued verify token and posts the result back; the portal marks the finding pass (fixed) or fail (still present).

FlagDefaultDescription
--upload-token <jwt>Portal-issued verify JWT (audience=scanner-verify).
--portal-url <url>https://obexum.comPortal base URL.
--rule-id <id>from JWTOverride the rule ID encoded in the JWT (rarely needed).
-t, --target <spec>local://localhostTarget spec.
# Run on the target host after applying the suggested remediation
obexum verify --upload-token=$VERIFY_JWT --portal-url=https://obexum.com

report

Regenerate a report for a past scan, or render a compliance coverage matrix against a recognised framework. Omit --scan-id to list recent scans.

FlagDefaultDescription
--scan-id <id>Scan ID to regenerate (omit to list recent scans).
-f, --format <fmt>markdownOutput format: markdown | json.
--framework <fw>Compliance framework: cis | nist | stig | attack | cwe (overrides --format).
# Re-render a past scan as JSON
obexum report --scan-id=<id> -f json

# Render a CIS compliance coverage matrix for that scan
obexum report --scan-id=<id> --framework cis

config

Print the effective configuration (after defaults, config file, and flags are merged) as JSON.

obexum config

history

Show scan history and the trend for a target.

FlagDefaultDescription
-t, --target <name>from configTarget name to show history for.
-n, --limit <N>20Maximum number of scans to show.
obexum history -t prod-dc-01 -n 10

diff

Show what changed between two scans (A = baseline, B = newer): new, resolved, persisting, worsened, and improved findings.

obexum diff <scan-A-id> <scan-B-id>
FlagDefaultDescription
--fullfalseList every finding in each diff category.
obexum diff a1b2c3d4 e5f6a7b8 --full

fix

Show, and optionally apply, the remediation plan for a scan. Default mode is dry-run — it prints the ranked plan and does nothing.

FlagDefaultDescription
--scan-id <uuid>Scan UUID to plan/apply fixes for (required).
--applyfalseExecute fixes (default: dry-run).
--yesfalseDon't ask per-group confirmation (implies --apply).
--risk-max <risk>lowMaximum risk to auto-apply: low | medium | high | manual.
--fix-ids <list>Only apply these group IDs (comma-separated).
--snapshotfalseTake an LVM/BTRFS snapshot before applying (best-effort).
# Show the plan (dry-run)
obexum fix --scan-id <uuid>

# Apply only low-risk fixes, confirming each group
obexum fix --scan-id <uuid> --apply --risk-max low

playbook

Inspect and render Obexum remediation playbooks from the built-in knowledge base, independently of any scan. Rendering prints a script that is not executed — it is intended for a change-management reviewer.

playbook list

List every playbook in the built-in KB.

FlagDefaultDescription
--platform <p>Filter by platform: linux | windows | windows-dc.
--rule-id <substr>Filter by rule_id substring.

playbook show <playbook-id>

Show the full body of one playbook (summary, advisories, pre/post checks, commands, rollback, references).

playbook render <playbook-id>

Render a playbook into a single shell or PowerShell script for offline review. Nothing is run.

FlagDefaultDescription
--item <name>Item name substituted as {{ .ItemName }} (e.g. a cert template CN).
--target <host>Target host or address, embedded in the script header.
-o, --output <path>stdoutWrite to this path instead of stdout.
# Browse the catalogue for Windows DC playbooks
obexum playbook list --platform windows-dc

# Render one to a reviewable script
obexum playbook render pb-windows-dc-adcs-001 \
    --item OBX_ESC1_AltSAN \
    --target prod-dc-01 \
    -o fix-ADCS-001.ps1
Read before you run. The rendered script is dry-run output for a change-management reviewer. Obexum does not execute it. The header lists every advisory and the rollback section is at the bottom (commented out).

init

Bootstrap ~/.obexum/ with a starter config.yaml and an ed25519 SSH keypair location. Creates the keys/ and scans/ directories with sensible defaults.

FlagDefaultDescription
--forcefalseOverwrite an existing config.yaml (scans + SSH keypair are preserved).
--non-interactivefalseSkip prompts; emit instructions to stdout.
obexum init

targets

Manage named scan targets in ~/.obexum/targets.yaml so you can scan by short name — obexum scan --target prod-dc-01 — instead of retyping the SSH spec each time. You can also scan ad hoc by spec (ssh://user@host or local://localhost) without registering.

targets add <name>

Add (or update) a named scan target.

FlagDefaultDescription
--type <type>sshTarget type: ssh | windows | windows-dc | local.
--host <addr>Hostname or IP (required).
--port <n>22SSH port.
--user <user>AdministratorSSH user.
--key <path>~/.obexum/keys/obexum_ed25519SSH private key path.
--notes <text>Free-form note.

targets list

List configured scan targets.

targets remove <name>

Remove a configured target.

obexum targets add prod-dc-01 \
    --type windows-dc \
    --host 10.0.0.5 \
    --user Administrator

obexum targets list

findings

Inspect findings from a previous scan engagement, read out of ~/.obexum/scans/<scan_id>/findings.json. When --scan is omitted, the most recent engagement is used.

findings list

List the rule_ids, severities, and counts in an engagement.

FlagDefaultDescription
--scan <id>most recentScan ID (defaults to the most recent engagement).

findings show <rule-id>

Show one finding's full evidence + remediation hints from an engagement.

FlagDefaultDescription
--scan <id>most recentScan ID (defaults to the most recent engagement).
obexum findings list

obexum findings show AUD-WIN-ADCS-001

defend

Scan server logs for attackers and enrich with GeoIP + threat intel. Discovers external IPs that attacked the target (SSH brute-force, web 4xx/5xx bursts, fail2ban bans), attributes each with country / ISP / ASN / hosting type, and cross-references public feeds (Spamhaus, FireHOL, ET, CINS, TOR, Blocklist.de).

FlagDefaultDescription
-t, --target <spec>Target spec (required).
--min-attempts <N>3Only report IPs with at least N attempts.
--max-lines <N>50000Log lines per source to inspect.
--blocklist <path>Write a UFW-ready block file to this path.
--update-feedsfalseForce refresh of threat intel feeds.
-o, --output <dir>from configOutput directory for reports.
-f, --formats <list>markdown,json,htmlOutput formats.
obexum defend --target ssh://root@example.com

obexum defend --target ssh://root@example.com --blocklist /tmp/block.txt

gui

Start the Obexum GUI server (local web dashboard). Binds to 127.0.0.1:7070 by default and prints a token the browser uses to authenticate.

FlagDefaultDescription
--bind <addr>127.0.0.1:7070Address to bind the GUI to.
--token-file <path>~/.obexum/gui-tokenPath to the persistent token file.
--print-tokenfalsePrint the current token and exit (doesn't start the server).
obexum gui
# then open http://localhost:7070/ui/ and paste the printed token
Local-trust by design. The GUI trusts local clients by construction. Never expose the raw HTTP port to the internet — put it behind a TLS-enabled reverse proxy (e.g. Caddy) with auth for remote access.

sbom

Generate an SPDX 2.3 JSON Software Bill of Materials for the target system by enumerating installed packages (dpkg / rpm / apk). Each package emits an SPDX Package + DESCRIBES Relationship with a purl externalRef.

FlagDefaultDescription
-t, --target <spec>from configTarget spec, e.g. ssh://root@host.
-o, --output <path>stdoutOutput file path (- for stdout).
--name <name>obexum-sbom-<target>SPDX document name.
obexum sbom -t local

obexum sbom --target ssh://root@host -o sbom-host.json --name acme-prod

Target specs

Commands that take -t / --target accept these forms:

When the flag is omitted, the target is read from your config file (target.*). The SSH key path falls back to ~/.ssh/obexum_ed25519 when not set in config.

See also