Cloudsmith has introduced a new vulnerabilities command to the CLI, allowing users to retrieve package security scan results through a single command.

Previously, accessing these results required orchestrating multiple API commands to fetch package lists, identify scan IDs, and manually request and parse the scan results. This update streamlines the process for customers who need to retrieve vulnerability data outside of the Cloudsmith web application.

How it works

• Summary view (default): Displays a high-level count of vulnerabilities categorized by severity, including Critical, High, Medium, Low, and Unknown.
• Assessment view (--show-assessment or -A): Provides a detailed breakdown where vulnerabilities are grouped by the specific affected upstream dependency.
• Automatic sorting: Results within the assessment view are automatically sorted by severity, ensuring critical issues appear first.
• Rich formatting: Data is rendered in formatted tables to provide a clear, readable view within the terminal.
• Programmatic output: Supports --output-format json and pretty_json for seamless integration with automated tooling and CI/CD pipelines.

Filtering capabilities

The command includes advanced filtering flags to help users isolate actionable security data:

• Severity filtering: Use the --severity flag to display only specific levels, such as filtering for Critical and High findings.
• Status Filtering: Use the --fixable or --non-fixable flags to show only vulnerabilities where a patch or fixed version is currently available.

Example

To view a detailed assessment of critical vulnerabilities for a specific package, use the following command structure:

# Get a summary of all vulnerabilities for a package
cloudsmith vulnerabilities <org>/<repo>/<package-id>

# Show a detailed assessment filtered by Critical severity
cloudsmith vulnerabilities <org>/<repo>/<package-id> -A --severity critical

The new vulnerabilities command is available in Cloudsmith CLI version 1.14.0 (or later).