AppCheck's Command Line Interface (CLI) tools allow users to use AppCheck's API within automated processes, enabling integration with CI/CD pipelines.

1. Create CI/CD Token
2. Download
3. Install
4. Configure
5. Use

Create CI/CD Token

CI/CD tokens can be managed by admin users in the CI/CD Tokens page within the AppCheck Portal.

If you are an admin user and you do not see the CI/CD tokens page in the sidebar, use this form to request access.  If your organisation is not licensed for CI/CD integration your account manager will contact you.

Click "New CI/CD Token" in the top right to create a new token, or the pencil icon next to an existing token to edit it.

You will need to provide the public IP address from which your API requests will come; often this will be the address of your outbound gateway or proxy server.  Private (internal) addresses usually begin with 192, 172 or 10 - if this is the IP address you see then you may need to speak to your network administrator to get your public address.  You may find you have multiple public addresses, which may be alternated between - in this case, you will need to add them all to your account's allow list.

All CI/CD Tokens are associated with an AppCheck user.  You may wish to create a dedicated user for your integration, to make it clear in logs which service/user initiated actions.  The level of user you need to create will depend on the actions you wish to perform as part of your integration.  If you wish to create scans, then you will need to use an admin user.  If you wish only to run scans, or view results, then a standard user will be sufficient if it is added to appropriate user groups.

Download

To download the AppCheck CLI tool log in to the AppCheck Portal and select Downloads in the side bar.  The tool is provided as an installer for various systems as well as in binary form.

Install

Install the tool on your CI/CD server.  Ensure it has outbound access to AppCheck's servers.

Configure

When the tool is used it reads your CI/CD token from an environment variable called APPCHECK_API_KEY.  You will need to create and store this environment variable before using the tool.

The exact way to set up an environment variable will depend on the Command Line Interface you are using.

For example, if using Bash, you might do this with the following command:

export APPCHECK_API_KEY="[AppCheck CI/CD Token]"

If using PowerShell, you might use the following command:

$env:APPCHECK_API_KEY=[AppCheck CI/CD Token]

Use

With the tool installed and configured, it can now be invoked using your preferred CLI.  The exact format used to invoke this tool, or any software, may vary depending on the CLI being used.  The examples below use syntax appropriate for Bash and similar CLIs, and assume the current working directory contains the AppCheck CLI tool binary.

Each command takes an action, a scan ID, and a number of optional flags:

./appcheck-cli --action [action] --scan-id [Scan ID] --optional-flag1 --optional-flag2

How to Find Your Scan ID

You can find the Scan ID in the URL when viewing a scan in the AppCheck Portal.  For example if the URL of your scan is https://scanner.appcheck-ng.com/scans/123d45abcdefg67ui then the scan ID is 123d45abcdefg67ui.

Actions

Run a Scan and Wait for it to Complete

run

This action runs a new instance of the scan specified in [Scan ID].  This is similar to start, but while the span class="apck-faq-pre"start` action returns straight away, this action does not return until the scan has completed.

Example:

./appcheck-cli --action run --scan-id 123d45abcdefg67ui --display-vulns

This command starts a new run of scan 123d45abcdefg67ui, waits for the scan to complete, then displays the discovered vulnerabilities (as a result of the optional flag --display-vulns).

Start a Scan

start

This action starts a new instance of the scan specified in [Scan ID].  This is similar to run, but while the run action waits for the scan to complete, this action returns straight away.

Example:

./appcheck-cli --action start --scan-id 123d45abcdefg67ui

Stop a Scan

stop

This action aborts the currently running instance of the scan specified in [Scan ID].

Example

./appcheck-cli --action stop --scan-id 123d45abcdefg67ui

Pause a Scan

pause

This action pauses the currently running instance of the scan specified in [Scan ID].

Example:

./appcheck-cli --action pause --scan-id 123d45abcdefg67ui

Resume a Scan

resume

This action pauses a currently paused instance of the scan specified in [Scan ID].

Example:

./appcheck-cli --action resume --scan-id 123d45abcdefg67ui

Fetch the Last Results of a Scan

results

This action retrieves the results of the most recent instance of the scan specified in [Scan ID].

Example:

./appcheck-cli --action results --scan-id 123d45abcdefg67ui --display-vulns

Show the Current Status of a Scan

status

This action reports the status of the scan specified in [Scan ID].

Example:

./appcheck-cli --action status --scan-id 123d45abcdefg67ui

Wait for a Scan to complete and Display Vulnerabilities

watch

This action waits for the currently running instance of the scan specified in [Scan ID] to complete before returning.  Running this action after a scan that was started with the start action is similar to simply starting a scan with the run action.

Example:

./appcheck-cli --action watch --scan-id 123d45abcdefg67ui --display-vulns

This command waits for the running instance of scan 123d45abcdefg67ui to complete, then displays the discovered vulnerabilities (as a result of the optional flag --display-vulns).

Show Scan Details

details

This action reports detailed information about the scan specified in [Scan ID], including targets, progress, name, and vulnerability counts.

Example

./appcheck-cli --action details --scan-id 123d45abcdefg67ui

Optional Flags

Optional flags modify the results of various actions.

--display-vulns

--no-banner

--fail-any

--fail-low

--fail-medium

--fail-high

--fail-any-count

--fail-low-count

--fail-medium-count

--fail-high-count