Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@kubbisec/aspm) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
@kubbisec/aspm
Official KubbiSec ASPM CLI — upload security findings, coverage, and SBOM data, and manage projects from the terminal.
ASPM (Application Security Posture Management) centralizes scans, coverage gates, and reporting so teams can track risk in one place.
Features
- Authentication — session-based login aligned with the KubbiSec web app.
- Scan upload — push reports from common scanners into a project.
- Coverage — upload LCOV or Clover for test coverage tracking and gates.
- Local tooling — parse and validate reports without sending data (dry run).
- Native binaries — per-platform executables via
optionalDependencies(nopostinstallscripts; works withnpm install --ignore-scripts).
Requirements
- Node.js 18 or newer.
- A KubbiSec account and API access (URL, API key, organization/project identifiers as required by your tenant).
Installation
npm install -g @kubbisec/aspmQuick start
# Authenticate (follow the prompts or use your org’s SSO flow if configured)
aspm login
# Validate a vulnerability / scan report locally
aspm scan report.json -s trivy
# Upload a vulnerability / scan report
aspm upload report.json -s trivy -p <project-id>
# Upload coverage
aspm coverage lcov.info -p <project-id>
# Parse locally without uploading
aspm parse report.json -s trivy
# Open the dashboard (browser)
aspm dashboard
# List projects
aspm projectsRun aspm --help for subcommands and global options.
Supported scanners
| Scanner | Use case | Typical format |
|---|---|---|
| Trivy | Container / deps | JSON |
| Sonar | SAST | JSON |
| Nmap | Network | XML |
| Skipfish | Web | JSON |
| OSV | Dependency advisories | JSON |
| Gitleaks | Secrets | JSON |
| Syft | SBOM | JSON |
Exact flags and file expectations may vary by version; use aspm upload --help and your KubbiSec project settings.
Coverage formats
- LCOV — e.g.
lcov.info(Jest, Vitest, Istanbul, and similar). - Clover — e.g.
clover.xml(Vitest, PHPUnit, OpenClover, and similar).
Configuration
CLI configuration is stored at:
~/.kubbisec/config.json
You can override defaults with environment variables (typical):
| Variable | Purpose |
|---|---|
KUBBISEC_API_URL |
API base URL |
KUBBISEC_API_KEY |
API key / token |
KUBBISEC_ORG_ID |
Organization ID |
KUBBISEC_PROJECT |
Default project ID |
Supported platforms
Installing @kubbisec/aspm selects the matching binary:
| OS | Architecture | npm package |
|---|---|---|
| Linux | x64 | @kubbisec/aspm-linux-x64 |
| Linux | arm64 | @kubbisec/aspm-linux-arm64 |
| macOS | arm64 | @kubbisec/aspm-darwin-arm64 |
| Windows | x64 | @kubbisec/aspm-win32-x64 |
License
MIT — see LICENSE in this package.
Trademarks
KubbiSec and related marks are property of their respective owners. This package is distributed for use with the KubbiSec ASPM platform.