# CLI In CLI mode, the Seal CLI runs in your CI/CD pipeline, scans the manifest the build resolves against, and reports the result to the Seal Platform. CLI mode is the right choice when you cannot connect Seal to your source code (for example, your organization does not permit third-party SCM integrations) but you can run the Seal CLI in CI, where it can reach Seal's servers from inside the pipeline. A Seal Project is in CLI mode only if it is not also connected to source control. Connecting source control promotes the project to source code mode and the CLI's manifest scan stops being the discovery signal (though the CLI itself can keep running for remediation; see [Sealing Rules and CLI mode](#sealing-rules-and-cli-mode) below). ## What it sees Seal sees the manifest as the CLI's scan parses it on each pipeline run. This includes whatever the CLI is invoked against (a `package-lock.json`, a `requirements.txt`, a `pom.xml`, and so on), and behaves consistently with how a build-time scan resolves dependencies. The signal updates each time the pipeline runs, which is typically once per commit. CLI mode does not see what is in the repository between runs. If your CI does not run on a branch, CLI mode does not produce signal for that branch. ## What Seal needs The Seal CLI integrated into your build, configured with a [token](/new-documentation/new-docs/tokens.md). Seal does not need any read access to the repository; the CLI does the manifest reading inside your pipeline and reports back only what is needed for discovery. ## When to choose this mode * You cannot grant Seal read access to your source code, but the Seal CLI can run inside your CI/CD and reach Seal's servers from there. * SCM integration is on the roadmap but not yet approved, and you want full discovery and remediation in the meantime. ## Setting it up A Seal Project enters CLI mode automatically the first time the Seal CLI runs against it. To set up the CLI in your pipeline, see [Connecting via the Seal CLI in CI](/new-documentation/new-docs/cli-in-ci.md). ## Sealing Rules and CLI mode Sealing Rules apply whenever the Seal CLI runs, regardless of which package discovery mode the Seal Project is in. The most common pairings are: * **CLI discovery mode + the CLI running for remediation:** the CLI does both jobs in the same pipeline run. * **Source code discovery mode + the CLI running for remediation:** the SCM integration handles discovery; the CLI runs in CI to apply Sealing Rules and replace vulnerable packages with sealed versions. The CLI's [fix mode](/new-documentation/new-docs/creating-a-seal-project.md#cli-fix-mode) determines whether rules come from the Seal Platform (remote fix mode) or from a checked-in `.seal-actions.yml` file (local fix mode). ## Related * [Connecting via the Seal CLI in CI](/new-documentation/new-docs/cli-in-ci.md): how to set up the CLI in your pipeline. * [How Seal discovers your packages](/new-documentation/new-docs/how-seal-discovers-your-packages.md): how CLI mode compares to the other three. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sealsecurity.io/new-documentation/new-docs/package-discovery-mode/cli.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.