accuknox-aspm-scanner is a unified command-line interface for running application security scans (IaC, SAST, Secret, Container, and DAST) as part of your CI/CD or developer workflow.
It integrates with the AccuKnox ASPM Platform but can also operate completely standalone β ideal for on-premise or air-gapped environments.
- π One CLI for all security scan types: IaC, SAST, SonarQube SAST, Secret, Container, and DAST
- π Direct execution using containerized or local tools
- 𧩠Easy integration with CI/CD pipelines and pre-commit hooks
- π Push results to AccuKnox ASPM Platform (optional)
- π§° Fully offline/on-premise mode supported
- 𧡠Environment variable and argument-based configuration
- π§Ύ Debug logging with full trace support
pip install https://github.com/accuknox/aspm-scanner-cli/releases/download/v0.13.8/accuknox_aspm_scanner-0.13.8-py3-none-any.whlFor restricted environments, you can install the precompiled .deb.gz package provided by AccuKnox:
sudo dpkg -i accuknox-aspm-scanner_<version>.debThe following variables are supported for configuration (accuknox vars are optional if --skip-upload is used):
| Variable | Description |
|---|---|
ACCUKNOX_ENDPOINT |
URL of the AccuKnox Control Plane API endpoint |
ACCUKNOX_LABEL |
Label or project name to associate scan results |
ACCUKNOX_TOKEN |
Authentication token for the AccuKnox platform |
ASPM_DEBUG |
Set to TRUE to enable verbose trace output |
SCAN_IMAGE |
Override internal Docker images for on-prem scanners (e.g., myregistry/accuknox-iac:latest) |
π‘ Use
--skip-uploadto disable result upload to the AccuKnox platform β useful for local testing or isolated environments.
accuknox-aspm-scanner tool install --allOr install/update specific tools:
accuknox-aspm-scanner tool install --type iacSupported tool types:
sastβ Static Code Analysissq-sastβ Static Analysis via SonarQubesecretβ Secret Detectioniacβ IaC Static Code Analysiscontainerβ Container Image Scanningdastβ Dynamic Analysis
This installs the CLI into:
~/.local/bin/accuknox/
Each scan supports --command, which passes arguments directly to the underlying scanner.
accuknox-aspm-scanner scan iac --command "-d ."accuknox-aspm-scanner scan sast --command "scan ."accuknox-aspm-scanner scan secret --command "git file://." --container-modeaccuknox-aspm-scanner scan container --command "--image nginx:latest"accuknox-aspm-scanner scan dast --command ""zap-baseline.py -t http://example.com/ -I"accuknox-aspm-scanner scan sq-sast --command "-Dsonar.projectKey='<PROJECT KEY>' -Dsonar.host.url=<HOST URL> -Dsonar.token=<TOKEN> -Dsonar.organization=<ORG ID>"| Flag | Description |
|---|---|
--endpoint |
Control Plane URL (overrides env var) |
--label |
Label or project name |
--token |
Authentication token |
--skip-upload |
Skip uploading results to Control Plane |
--softfail |
Do not break CI/CD pipeline on findings |
--container-mode |
Run scanner inside a container |
ACCUKNOX_ENDPOINT=cspm.accuknox.com \
ACCUKNOX_LABEL=POC \
ACCUKNOX_TOKEN=abcd1234 \
accuknox-aspm-scanner scan sast \
--command "scan ." \
--softfailYou can easily integrate AccuKnox Secret Scan into your development workflow using the pre-commit framework.
pip install pre-commit && accuknox-aspm-scanner pre-commit installThis automatically installs a pre-commit hook at:
.git/hooks/pre-commit
In a fully offline/on-premise environment:
- Install the precompiled
.deb.gzor tarball - Disable container mode if installed natively
3. For container mode Set
SCAN_IMAGEto use internal registry images
Example:
export SCAN_IMAGE=registry.local/semgrep:latest
accuknox-aspm-scanner scan iac --command "-d ." --container-modeEnable verbose debug mode:
DEBUG=TRUE accuknox-aspm-scanner scan iac --command "-d ."