@sentriflow/cli 0.1.9 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +97 -2
  2. package/dist/index.js +2024 -409
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -37,6 +37,15 @@ sentriflow --list-vendors
37
37
 
38
38
  # List active rules
39
39
  sentriflow --list-rules
40
+
41
+ # List rules by category
42
+ sentriflow --list-rules --category authentication
43
+
44
+ # List all categories
45
+ sentriflow --list-categories
46
+
47
+ # Read from stdin
48
+ cat router.conf | sentriflow -
40
49
  ```
41
50
 
42
51
  ## Usage
@@ -47,7 +56,7 @@ Usage: sentriflow [options] [file]
47
56
  SentriFlow Network Configuration Compliance Checker
48
57
 
49
58
  Arguments:
50
- file Path to the configuration file
59
+ file Path to the configuration file (use - for stdin)
51
60
 
52
61
  Options:
53
62
  -V, --version output the version number
@@ -80,10 +89,20 @@ Supported vendors: `cisco-ios`, `juniper-junos`, `palo-alto`, `fortinet`, `arist
80
89
  | `--no-config` | Ignore config file |
81
90
  | `-d, --disable <ids>` | Comma-separated rule IDs to disable |
82
91
  | `--list-rules` | List all active rules and exit |
92
+ | `--list-categories` | List all rule categories with counts |
93
+ | `--category <name>` | Filter `--list-rules` by category |
94
+ | `--list-format <fmt>` | Format for `--list-rules`: `table` (default), `json`, `csv` |
83
95
  | `-p, --rule-pack <path>` | Rule pack file to load |
84
96
  | `--json-rules <path...>` | Path(s) to JSON rules file(s) |
85
97
  | `-r, --rules <path>` | Additional rules file (legacy) |
86
98
 
99
+ ### IP Extraction
100
+
101
+ | Option | Description |
102
+ |--------|-------------|
103
+ | `--extract-ips` | Extract and display all IP addresses/subnets from configuration |
104
+ | `--copy-ips` | Copy extracted IPs to clipboard (requires xclip/pbcopy) |
105
+
87
106
  ### Encrypted Rule Packs
88
107
 
89
108
  | Option | Description |
@@ -92,6 +111,46 @@ Supported vendors: `cisco-ios`, `juniper-junos`, `palo-alto`, `fortinet`, `arist
92
111
  | `--license-key <key>` | License key (or set `SENTRIFLOW_LICENSE_KEY` env var) |
93
112
  | `--strict-packs` | Fail if encrypted pack cannot be loaded |
94
113
 
114
+ ### Extended Encrypted Packs (GRX2)
115
+
116
+ Extended GRX2 packs (.grx2) embed wrapped encryption keys, enabling offline scanning without network access.
117
+
118
+ | Option | Description |
119
+ |--------|-------------|
120
+ | `--grx2-pack <path...>` | Path(s) to extended encrypted rule pack(s) (.grx2) |
121
+ | `--strict-grx2` | Fail immediately if any GRX2 pack cannot be loaded |
122
+ | `--show-machine-id` | Display the current machine ID (for license binding support) |
123
+
124
+ **Environment Variable:**
125
+ - `SENTRIFLOW_LICENSE_KEY` - License key for decrypting packs
126
+
127
+ **Offline Usage:**
128
+
129
+ GRX2 packs contain embedded wrapped keys, allowing complete offline operation:
130
+
131
+ ```bash
132
+ # Scan with portable pack (no network required)
133
+ SENTRIFLOW_LICENSE_KEY=ey... sentriflow --grx2-pack ./enterprise-rules.grx2 router.conf
134
+
135
+ # Scan with multiple packs
136
+ sentriflow --grx2-pack pack1.grx2 pack2.grx2 --license-key ey... configs/
137
+
138
+ # Strict mode: fail on pack load errors
139
+ sentriflow --grx2-pack rules.grx2 --strict-grx2 router.conf
140
+ ```
141
+
142
+ **Machine-Bound vs Portable Packs:**
143
+
144
+ - **Portable packs**: Work on any machine with a valid license key
145
+ - **Machine-bound packs**: Tied to a specific machine ID for additional security
146
+
147
+ Use `--show-machine-id` to display your machine ID when requesting machine-bound packs:
148
+
149
+ ```bash
150
+ sentriflow --show-machine-id
151
+ # Output: Machine ID: a1b2c3d4...
152
+ ```
153
+
95
154
  ### Directory Scanning
96
155
 
97
156
  | Option | Description |
@@ -125,7 +184,11 @@ Supported vendors: `cisco-ios`, `juniper-junos`, `palo-alto`, `fortinet`, `arist
125
184
  "passed": false,
126
185
  "message": "Telnet is enabled - use SSH instead",
127
186
  "line": 12,
128
- "column": 1
187
+ "column": 1,
188
+ "category": "authentication",
189
+ "tags": [
190
+ { "type": "security", "label": "plaintext-protocol" }
191
+ ]
129
192
  }
130
193
  ]
131
194
  }
@@ -159,6 +222,38 @@ Produces SARIF 2.1.0 compliant output for integration with GitHub Code Scanning,
159
222
  sentriflow router.conf -f sarif > results.sarif
160
223
  ```
161
224
 
225
+ SARIF output includes rule categories and tags in the `properties` block:
226
+
227
+ ```json
228
+ {
229
+ "rules": [{
230
+ "id": "SEC-001",
231
+ "properties": {
232
+ "category": "authentication",
233
+ "tags": ["security:plaintext-protocol"]
234
+ }
235
+ }]
236
+ }
237
+ ```
238
+
239
+ ## Rule Categories
240
+
241
+ List all available categories:
242
+
243
+ ```bash
244
+ sentriflow --list-categories
245
+ ```
246
+
247
+ Filter rules by category:
248
+
249
+ ```bash
250
+ # List only authentication rules
251
+ sentriflow --list-rules --category authentication
252
+
253
+ # Output as JSON
254
+ sentriflow --list-rules --category encryption --list-format json
255
+ ```
256
+
162
257
  ## CI/CD Integration
163
258
 
164
259
  ### GitHub Actions