The Attestely CLI is a single Go binary. It scans your repository locally with Trivy, Semgrep and gitleaks, then optionally streams the findings to your Attestely workspace for LLM analysis and historical tracking.
You don’t need an Attestely account to run scans locally — the CLI works offline. You only need an account if you want analysis and dashboards.
1. Install via Homebrew (macOS, Linux)
The fastest path on a Mac or Linux dev machine.
brew install attestely/tap/attestelyThe formula pins the latest stable release. Future upgrades are a regular
brew upgrade.
2. Install via curl (Linux, macOS, WSL)
If Homebrew isn’t your thing, the install script picks the right binary for
your platform and drops it in /usr/local/bin.
curl -fsSL https://attestely.com/install.sh | shThe script is signed and pinned to a specific release SHA. Read it before
piping to sh if you want to — it’s open on the CLI repo.
3. Install via go install
For Go developers who’d rather build from source. Requires Go 1.22+.
go install github.com/getAttestely/cli/cmd/attestely@latestThe binary lands in $GOPATH/bin (usually $HOME/go/bin). Make sure that
directory is in your $PATH.
4. Verify the install
attestely --versionYou should see something like attestely 1.0.0 (commit abc1234, built 2026-05-18).
5. Authenticate (optional — only for cloud features)
To stream scan results to your Attestely workspace, log in once:
attestely auth loginThis opens your browser, walks you through OAuth on app.attestely.com, and stores a short-lived token in your OS keychain (Keychain on macOS, libsecret on Linux, Credential Manager on Windows).
6. Run your first scan
From the root of any git repository:
attestely scan .The CLI orchestrates Trivy, Semgrep and gitleaks, deduplicates findings, and prints a summary table. On a fresh project it usually finishes in 20–60 seconds.
Example output:
attestely scan .
→ Cloning rules database... (cached)
→ Trivy (filesystem)... 12 findings
→ Semgrep (default ruleset)... 3 findings
→ gitleaks (committed secrets)... 0 findings
Found 11 unique findings after dedup:
Critical: 1
High: 3
Medium: 5
Low: 2
Top finding:
[Critical] gitleaks · Stripe live key in src/lib/env.example.ts:14
→ Move to .env and add to .gitignore.
Stream to workspace? [y/N]Press y and the findings land in your dashboard under
Findings → Recent scans.
7. Integrate with GitHub Actions
Drop this workflow at .github/workflows/attestely.yml to run Attestely
on every pull request:
name: Attestely Security Scan
on:
pull_request:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: attestely/scan-action@v1
with:
token: ${{ secrets.ATTESTELY_TOKEN }}Add ATTESTELY_TOKEN as a repository secret (Settings → Secrets and
variables → Actions → New repository secret). Grab the token value from
your Attestely workspace under Settings → API tokens.
8. Troubleshooting
command not found: attestely — the install dir isn’t in your $PATH.
For go install, add $HOME/go/bin to your shell rc file:
echo 'export PATH="$HOME/go/bin:$PATH"' >> ~/.zshrcpermission denied from the curl install — the script tries to write
to /usr/local/bin. Re-run with sudo, or set INSTALL_DIR=$HOME/.local/bin
in your environment first.
Scan stuck on Trivy — Trivy downloads its vulnerability DB on first
run (~250 MB). Subsequent runs are cached. If it hangs, set
TRIVY_TIMEOUT=10m and retry.
Workflow runs but no PR review appears — three things to check:
ATTESTELY_TOKENis set and not expired- The workflow has
permissions: pull-requests: write - The Attestely GitHub App has Read and write access to pull requests on that repo
Still stuck? Drop us a line — we triage every report within 48 hours.
9. Next steps
- Connect a workspace — analysis, history, PR comments
- Browse pricing — Free forever for hobby projects, Solo at €19/month for serious indie work
- Security posture — how we handle your code and findings
- CLI source on GitHub — AGPLv3, contributions welcome
Got a question? Drop us a note — we read everything.