HomeGuidesAPI ReferenceChangelog
Log In
Guides

Overview and CLI Configuration

The RegScale Command Line Interface (CLI) is available for Enterprise Edition (EE) customers to perform advanced automations and to scale-out integrations for bulk data processing. The CLI is published as a Python library that can be installed via PIP which is the standard methodology for installing Python Packages. The CLI consists of several components:

  • RegScale Python PIP Package - the RegScale CLI for executing commands
  • init.yaml file - configuration file supporting the CLI
  • RegScale CLI Container - a containerized version of the CLI that contains all dependencies that are pre-installed and configured.

CLI Libraries

The CLI will continue to expand and evolve over time to support additional automations both with RegScale and with popular commercial and government tools. Each library below has its own documentation which details the list of CLI commands available for each library. The current list is shown below (broken out between internal RegScale CLI functions, government integrations, and commercial integrations):

CommandTypeDescription
Aboutinternaldisplays version and other information about the CLI
Azure AD SSOcommercialperforms directory and user synchronization functions
Admin Actionsinternalperform administrative actions in RegScale via like send_reminders and update_compliance_history
alienvaultcommercialloads AlienVault OTX pulses as threats
Assessmentinternalbuild, edit, and load assessments from Excel
awscommercialAWS Security Hub integration
azurecommercialMicrosoft Intune integration
cataloginternalDiagnostic tool for comparing and managing catalogs
change_passkeyinternalchanges the passkey for encryption/decryption
cisapublicsyncs DHS CISA alerts and Known Exploitable Vulnerabilities (KEV)
compareinternalfile comparison tool for audit support
configinternalmanage parameters and configuration for the CLI
control-editorinternalbuild, edit, and load control implementations from Excel
decryptinternaldecrypts config file during runtime
defendercommercialsyncs Microsoft Defender alerts and recommendations for both devices and cloud
emasspublicgenerates eMASS templates and populates with data
encryptinternalencrypts config file to protec secrets
env_infointernaldisplays information about the environment and the RegScale CLI
evidenceinternaldownloads evidence files and zips them to create an audit package
fedramppublicloads FedRAMP SSP Word document or OSCAL into RegScale
healthcheckinternalperforms healthcheck to ensure RegScale application and database are online
initinternalcreates a new init.yaml configuration file for the CLI
jiracommercialsyncs issues from RegScale into JIRA tickets
logininternallogs into the RegScale application via the CLI
migrationsinternalutility for migrating legacy data to new schema
nistpublicutilities for sorting NIST controls
oktacommercialperforms directory and user synchronization functions
oscalpublicprocesses and loads OSCAL catalog, profiles, and components into RegScale
qualyscommercialsyncs scan data from Qualys into RegScale
servicenowcommercialsyncs issues from RegScale into ServiceNow incidents
stigpublicprocesses STIG files and loads as asset checks in RegScale
tenablecommercialsyncs scan data from Tenable into RegScale
validate_tokeninternalensures JWT token is valid in RegScale
wizcommercialsyncs scan data, inventory, issues, threats, and vulnerabilities into RegScale

Pre-Requisites

  • You must ensure the latest version of Python is installed on the machine ( >= 3.9.0 & <=3.11)
    • On Ubuntu, you can install with sudo apt install python3.9
  • Ensure that pip is installed for the OS you are using on the sidecar
  • NOTE: If you receive a path error on Linux, you may need to logout of the session and back in to make the path available for the user (common issue on Ubuntu)

Using the CLI

The CLI is available on PyPi under the RegScale CLI Project. To install the CLI on your machine, make sure Python is available ( >= 3.9.0 & <=3.11), pip is installed for package management, and then run the following commands:

# Install CLI from PyPi
python3 -m pip install regscale-cli

for Windows:

# Install CLI from PyPi
python.exe -m pip install regscale-cli

These commands will install the RegScale CLI, manually update GraphQL dependencies, create a directory for processing artifacts/logs, and then pull down a template for the init.yaml file for you to edit as shown in the next section.

NOTE: If you see any warnings during the install about the PATH for RegScale, make sure you update the path with your directory.

For Linux/Mac, example here: export PYTHONPATH=$PYTHONPATH:/home/howieavp76/.local/bin.

For a Windows installation, you should update the system or user environment variables to bring in the Python scripts folder:
add C:\Users\YOURUSER\AppData\Local\Programs\Python\Python310\Scripts to the Python Path, where Python310 denotes your version number and YOURUSER is your user name.

Using the CLI in a Container

A common use case for the CLI is to spin up jobs at some frequency for bulk data processing. Many customers are now using containers to spin up the RegScale CLI to perform a job and then tear it self down to keep costs low in a cloud-native style architecture for data processing. To access the container, you can pull from the RegScale CLI Docker Hub:

docker pull regscale/regscale-cli:latest

Further instructions for using the CLI will be made available in the Docker Hub README.

Initialization

Initialize your CLI environment with the init command:

regscale init

The CLI will generate a default init.yaml file and prompt you for RegScale domain and to log in:

Initializing your RegScale CLI environment...
Would you like to change your RegScale domain from https://regscale.yourcompany.com/? (Y/n): y

Please enter your RegScale domain.
Example: https://mydomain.regscale.com/
Domain: https://regscale.mycomapny.com
[2023/01/20 04:32;41] INFO     [2023/01/20 04:32;41] [INFO ]  Valid URL provided, regscale.py:349
                               init.yaml has been updated.                                       
Would you like to log in to your RegScale instance? (Y/n): y
Please enter your username: rross
Please enter your password:

In Infrastructure as Code scenarios, you can initialize your CLI environment and pass parameters inline:

regscale init --domain https://regscale.mycompany.com --username rross --password <yourpassword>

Alternatively, initialize your CLI environment and skip prompts with the --skip-prompts flag:

regscale init --skip-prompts

The CLI is driven by a set of configurations that are specified in the init.yaml file.

The structure of init.yaml file is shown below:

###################################################################
#  REGSCALE CONFIG
###################################################################
domain: https://regscale.yourcompany.com/
token: Bearer <my JWT here>
assessmentDays: 10
userId: 8d8d5468-74f9-499d-976c-bca671e19b15
maxThreads: 1000
###################################################################
#  WIZ CONFIG
###################################################################
wizAccessToken: <createdProgrammatically>
wizClientId: <myClientIdGoesHere>
wizClientSecret: <mySecretGoesHere>
wizScope: <filled out programmatically after authenticating to Wiz>
wizUrl: <my Wiz URL goes here>
wizAuthUrl: https://auth.wiz.io/oauth/token
wizExcludes: My things to exclude here
###################################################################
#  ACTIVE DIRECTORY CONFIG
###################################################################
adAuthUrl: https://login.microsoftonline.com/
adGraphUrl: https://graph.microsoft.com/.default
adAccessToken: <createdProgrammatically>
adClientId: <myClientIdGoesHere>
adSecret: <mySecretGoesHere>
adTenantId: <myTenantIdGoesHere>
###################################################################
#   AZURE MICROSOFT DEFENDER 365 CONFIG
###################################################################
azure365AccessToken: <createdProgrammatically>
azure365ClientId: <myClientIdGoesHere>
azure365Secret: <mySecretGoesHere>
azure365TenantId: <myTenantIdGoesHere>
###################################################################
#   AZURE MICROSOFT DEFENDER FOR CLOUD CONFIG
###################################################################
azureCloudAccessToken: <createdProgrammatically>
azureCloudClientId: <myClientIdGoesHere>
azureCloudSecret: <mySecretGoesHere>
azureCloudTenantId: <myTenantIdGoesHere>
azureCloudSubscriptionId: <mySubscriptionIdGoesHere>
###################################################################
#   JIRA CONFIG
###################################################################
jiraUrl: <myJiraUrl>
jiraUserName: <jiraUserName>
jiraApiToken: <jiraAPIToken>
###################################################################
#   SERVICENOW CONFIG
###################################################################
snowUrl: <mySnowUrl>
snowUserName: <snowUserName>
snowPassword: <snowPassword>
###################################################################
#   OKTA CONFIG
###################################################################
oktaUrl: https://mycompany.okta.com/
oktaApiToken: Can be a SSWS token from Okta or created programmatically
oktaClientId: <oktaClientIdGoesHere>
oktaScopes: okta.users.read okta.roles.read
oktaSecretKey: 
	d: get from Okta,
	p: get from Okta,
	q: get from Okta,
	dp: get from Okta,
	dq: get from Okta,
	qi: get from Okta,
	kty: get from Okta,
	e: get from Okta,
	kid: get from Okta,
	n: get from Okta
###################################################################
#   OSCAL CONFIG
###################################################################
oscalCliPath: /home/myuser/OSCAL

The YAML file is read during the execution of commands and must be set properly for the CLI to execute. Each of the fields in the configuration file are described below:

  • domain - the URL for your instance of RegScale
  • token - the JWT bearer token for authenticating requests. This can be set one of three ways:
    • Paste from your user profile after logging into RegScale
    • Use the RegScale login CLI to authenticate which will automatically set the token in the YAML file (good for 24 hours)
    • Using Administrator privileges in RegScale, create a service account which can generate a long-running token that can be used for API access. Paste this token into the YAML file.
  • assessmentDays - Number of days to add to today's date for new assessments created in RegScale created via RegScale CLI
  • userId - your RegScale user ID which is a GUID value (NOTE: This is programmatically set when logging in.)
  • maxThreads - The total number of threads the application is allowed to use. (NOTE: Changing this number can have a negative or positive impact on performance.)

NOTE: The init.yaml file contains sensitive keys and secrets and should be stored securely. Non-RegScale configuration is described on the CLI page for each specific integration we support.

Upgrading the CLI

If you are ready to upgrade to the latest version of the CLI, run the following command:

pip install regscale-cli --upgrade
  • Manually force a specific version upgrade as follows:
pip install -i regscale-cli==1.1.8

Uninstall the CLI

To uninstall, run the following command:

pip uninstall regscale-cli