Mobb CLI
Last updated
Last updated
The community edition version of Mobb, or what we called Bugsy, is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code.
Bugsy has two main modes - Scan (no SAST report needed) & Analyze (the user must provide a pre-generated SAST report from one of the supported SAST tools).
Bugsy also has a review mode and add-scm-token mode, which are explained later.
To check out all the supported modes, run the following help command:
Analyzes a Checkmarx/CodeQL/Fortify/Snyk/SonarQube vulnerability report to identify issues that can be remediated automatically
Produces the code fixes and redirects the user to the fix report page on the Mobb platform
Uses Checkmarx or Snyk CLI tools to run a SAST scan on a given open-source GitHub/GitLab repo
Analyze the vulnerability report to identify issues that can be remediated automatically
Produces the code fixes and redirects the user to the fix report page on the Mobb platform
You can run Bugsy from the command line, using npx:
This will show you Bugsy's usage help:
To run a new SAST scan on a repo and get fixes, run the Bugsy Scan command. Example:
To get fixes for a pre-generated SAST report, run the Bugsy Analyze command. Example:
Bugsy will automatically generate a fix for each supported vulnerability identified in the results, and refer the developer to review and commit the fixes to their code.
To see all the options Bugsy allows, use the Scan or Analyze commands with the -h option:
If you utilize SAST scans as part of the CI/CD pipeline, Bugsy can be easily added and provide an immediate fix for every issue detected. Here is a simple example of a command line that will run Bugsy in your pipeline:
To enable automatic PR, make sure to enable --auto-pr
flag in your npx mobbdev@latest
analyze command. For example:
Click here to learn more about the Automatic PR feature.
Bugsy automatically stores your Mobb access token in the mobbdev.json
file. Here are the default storage locations of this file:
Windows: C:\Users\<USERNAME>\.config\configstore\mobbdev.json
Mac: ~/.config/configstore/mobbdev.json
To update your Mobb access token, edit the file in a text editor and replace the value YOUR_MOBB_API_TOKEN
with your Mobb access token as shown in the code snippet below.
If you haven’t generated your Mobb access token yet, click here to learn how to generate one.
To remove the Mobb access token, delete the mobbdev.json
file from your file system.
Mobb supports on-premise repositories as explained in the system requirements. However, to analyze an on-premise repository, the SCM token must be added to your Mobb account to grant Mobb access to read and write to your repository (To run analysis and commit fixes). This task can either be done on the Mobb UI as explained here, or via the Mobb CLI.
To add the SCM token via the CLI, you can use the add-scm-token
mode. To learn more about what's required for this mode, you can run the following command:
--scm-type Description: SCM type [required] [choices: "GitHub", "GitLab", "Ado", "Bitbucket"]
--url Description: URL of the repository (used in GitHub, GitLab, Ado, Bitbucket) [string] [required]
--token Description: SCM API token [string] [required]
--organization Description: Organization name in SCM (used in Azure DevOps) [string]
--refresh-token Description: SCM refresh token (used in GitLab) [string]
--api-key Description: Mobb authentication api-key [string]
--help Description: Show help [boolean]
Below are single-tenant-specific instructions
If your Mobb instance is in a single-tenant environment, you must configure the following environment variables to ensure Bugsy is communicating with the correct Mobb tenant instance.
API_URL=https://api-st-<YOUR_CUSTOM_MOBB_DOMAIN>/v1/graphql
WEB_LOGIN_URL=https://<YOUR_CUSTOM_MOBB_DOMAIN>/cli-login
WEB_APP_URL=https://<YOUR_CUSTOM_MOBB_DOMAIN>
Note: Replace <YOUR_CUSTOM_MOBB_DOMAIN>
with your Mobb tenant domain.
Here is a sample code snippet. In this example, our Mobb domain is TENANT_NAME.mobb.ai
: