Commands

seal add <package-version>

This command adds an entry to your project's local configuration file, instructing Seal to apply a backported fix to all instances of the specified package version.

Flags:

• --os: Use this flag to add a fix for a package that is part of the operating system.

• --fs <ecosystem>: Use this flag to fix a package within a specific filesystem ecosystem located in the target directory. If target-dir is not provided then it uses the current directory. Supported ecosystems include java and python.

seal fix [target-dir]

This command replaces vulnerable packages with their secure, sealed versions directly within your project.

Flags:

• --mode: Specifies which fixes to apply.

  • local: Applies the fixes defined in your local configuration file (this is the default).

  • remote: Applies fixes defined on the Seal server.

  • all: Attempts to fix every vulnerable package for which a sealed version exists.

• --os: Fixes vulnerable packages managed by the operating system's native package manager. This flag supports:

  • yum: for CentOS, Red Hat Enterprise Linux, Oracle Linux, and similar.

  • dpkg: for Debian, Ubuntu, and similar.

  • apk: for Alpine.

• --fs <ecosystem>: Fixes vulnerable packages found by scanning the filesystem within the specified [target-dir]. If no [target-dir] is provided, it defaults to the current directory. Supported ecosystems are java and python.

• --upload-scan-results: Uploads the list of detected vulnerable packages to the Seal server. This is useful for deployments without a source control integration, as it allows Seal to discover and track your dependencies through your CI pipeline.

Arguments:

• [target-dir]: The directory to scan for vulnerable packages when using the --fs flag.

seal help - Use this command to view the comprehensive usage instructions for the Seal CLI. It will print a list of all commands, flags, and their descriptions directly to your terminal.

seal scan [target-dir]

This command scans your project's open-source dependencies and prints a list of vulnerable packages, highlighting which ones have a sealed version available.

Flags

• --os: Scans for vulnerable packages managed by your operating system's native package manager. This supports yum (for CentOS, RHEL, etc.), dpkg (for Debian, Ubuntu, etc.), and apk (for Alpine).

• --fs <ecosystem>: Finds vulnerable packages by scanning the filesystem. If you don't provide a [target-dir], it uses the current directory. Supported ecosystems are java and python.

• --generate-local-config: Creates or updates a local configuration file with recommended fixes, which you can then apply using the seal fix command.

• --generate-snyk-policy: Creates or updates the .snyk file to inform the Snyk scanner about vulnerabilities fixed by Seal. This flag must be used with --generate-local-config.

• --upload-scan-results: Uploads the detected vulnerable packages to the Seal server. This is useful for environments without source control integration, allowing Seal to discover your dependencies via your CI pipeline.

• --csv string: Saves the scan results to the specified file path in CSV format.

Arguments

• [target-dir]: The directory to scan for vulnerable packages when using the --fs flag.

seal version - Prints the current version of the Seal CLI. The latest version is always available for download here.

Flags:

These flags can be used with any Seal CLI command.

• -h, --help: Prints the usage instructions and available options for the specified command.

• -v, -vv, -vvv: Adjusts the logging verbosity level. This is useful for debugging and provides more detailed output.