Prismor CLI

A powerful command-line tool for scanning GitHub repositories for security vulnerabilities, secrets, and generating Software Bill of Materials (SBOM) — with built-in AI auto-fix that opens a PR to remediate vulnerabilities in seconds.

Quick Start

1. Get Your API Key

Get your API key (Free)

Sign up to generate your key instantly.

2. Install & Configure

Terminal
$ pip install prismor

Set your API key:

Terminal
$ export PRISMOR_API_KEY=your_api_key_here

Usage Examples

Basic Syntax

Terminal
$ prismor --repo <repository> [scan-type]

Repository Formats

Username/Repository format:

Terminal
$ prismor --repo owner/repository --fullscan

Full GitHub URL:

Terminal
$ prismor --repo https://github.com/owner/repository --fullscan

Scan Types

1. Vulnerability Scanning (VEX)

Scan for known vulnerabilities in dependencies.

Terminal
$ prismor --repo myrepository --vex

2. Secret Detection

Detect exposed API keys, tokens, and credentials.

Terminal
$ prismor --repo myrepository --detect-secret

3. SBOM Generation

Generate Software Bill of Materials.

Terminal
$ prismor --repo myrepository --sbom

4. Full Scan (All checks)

Run all security checks in one command.

Terminal
$ prismor --repo myrepository --fullscan

5. AI Auto-Fix

Scan for vulnerabilities and automatically open a PR with fixes. Pass --fix alongside any scan flag — it implies --scan if no other scan type is specified.

Terminal
$ prismor --repo myrepository --scan --fix

Returns a job_id immediately. Track progress with prismor fix-status. Want to run the fix on your own machine with your own LLM credits instead? See Local AI Auto-Fix.

JSON Output

Get results in JSON format for automation and CI/CD:

Terminal
$ prismor --repo myrepository --fullscan --json

Additional Commands

Trigger Auto-Fix (no scan)

Fire the AI agent directly without running a scan first. Accepts an optional --branch and --instruction.

Terminal
$ prismor trigger-fix owner/repository
Terminal
$ prismor trigger-fix owner/repository --branch develop --instruction "Update all lodash deps"

Fix Status

Check the status of an auto-fix job. Add --wait to block until the PR is created (up to 30 min).

Terminal
$ prismor fix-status <job_id>
Terminal
$ prismor fix-status <job_id> --wait

Local AI Auto-Fix (your own infrastructure)

Prefer to keep your source code and credentials on your own machine? prismor fix-local applies fixes locally instead of in Prismor's cloud. Scanning still runs in the cloud, but the fix is performed by a coding agent you already have installed (Claude Code, Codex, …) using your own LLM credits, editing your local checkout. Your code and GitHub token never leave your machine, and Prismor's hosted fix agent is not invoked.

1. Scan in the cloud and save the findings:

Terminal
$ prismor --repo owner/repository --scan -o findings.json

2. Fix locally with your own agent, in your current checkout:

Terminal
$ prismor fix-local --results findings.json

Or pull findings straight from a completed scan job:

Terminal
$ prismor fix-local . --from-scan <job_id>

Useful flags: --dry-run previews the prompt without changing files, --agent claude|codex picks the agent, --branch <name> creates a local git branch first, --instruction adds guidance, and --yes skips the confirmation prompt (required for non-interactive/CI use).

No Claude Code or Codex installed? Point Prismor at any agent with a {prompt} placeholder via an environment variable:

Terminal
$ export PRISMOR_LOCAL_AGENT_CMD='aider --yes --message {prompt}'

Check Configuration

Verify your CLI configuration and API key

Terminal
$ prismor config

Version Information

Check your installed CLI version

Terminal
$ prismor --version

Get Help

Display all available commands and options

Terminal
$ prismor --help

Organization & Policy

Manage your organization's security policy as code and inspect your team — straight from the terminal or CI. Reads require any member; publishing policy requires an admin-scoped API key (see the note below).

Select an organization

List the orgs you belong to and set the active one (scans, fixes, and policy commands target it).

Terminal
$ prismor org list
Terminal
$ prismor org switch <slug>

Policy as code

Pull the active org policy to a file, version-control and review it, then apply it. Apply is signed server-side and enrolled devices pick it up within ~30s. The policy is YAML — see the policy authoring guide.

Terminal
$ prismor policy show
Terminal
$ prismor policy pull -o policy.yaml
Terminal
$ prismor policy lint policy.yaml
Terminal
$ prismor policy apply policy.yaml

In CI, skip the prompt and validate first:

Terminal
$ prismor policy apply policy.yaml --dry-run
Terminal
$ prismor policy apply policy.yaml --yes

Devices

List enrolled devices in your active org, with owner, status, and the policy version each has applied.

Terminal
$ prismor devices

Members

List the people in your active org and their roles.

Terminal
$ prismor members

API key scopes — keep admin keys off agent/CI machines

Reads (policy show/pull, devices, members) work with any key. Publishing policy (policy apply) requires an admin-scoped key — a scan-scoped key is rejected even if you're an owner. Give CI and AI coding agents scan-scoped keys so they can never weaken your policy; reserve admin keys for a human-controlled secret store.

Full Analysis & Dashboard

For comprehensive analysis and visualization of your scan results, access the Prismor Dashboard with interactive charts, historical data, and team collaboration features.

Go to Dashboard →