armoctl CLI
Install and use the armoctl command-line tool to access the ARMO platform from the terminal, scripts, and CI.
Overview
armoctl is a JSON-first CLI that exposes 13 resource clusters of the ARMO security platform: incidents, vulns, posture, risks, attack-chains, inventory, network-policies, seccomp, runtime-rules, runtime-policies, integrations, cloud-accounts, and repo-posture. Every command emits JSON on stdout with a consistent shape, making it straightforward to pipe results into scripts, CI pipelines, or AI agents. Mutations are wrapped with a dry-run preview and a --yes confirmation contract, and each executed mutation is appended to an audit log.
Install
curl -fsSL https://package-distribution.armosec.io/armoctl/install.sh | bashPlatform binaries are also available from GitHub Releases.
Authentication
Run the interactive setup once:
armoctl configureOr set environment variables (preferred for scripts and CI):
export ARMO_CUSTOMER_GUID=...
export ARMO_ACCESS_KEY=...
export ARMO_API_BASE_URL=api.armosec.io # api.us.armosec.io for US tenantsWhere to find each value:
- Customer GUID — ARMO Platform UI → top-right account dropdown.
- Access Key — cloud.armosec.io/settings/workspace/agent-access-keys (EU) or cloud.us.armosec.io/settings/workspace/agent-access-keys (US).
- API base URL —
api.armosec.io(EU, default) orapi.us.armosec.io(US).
Credentials are saved to ~/.armoctl/config.yaml.
Output contract
Every command emits JSON on stdout with one of three shapes:
List (armoctl <cluster> list ...)
{ "items": [...], "total": 1234, "page": 1, "pageSize": 50, "nextCursor": "..." }Get (singular resource)
{ "guid": "...", "name": "...", ...full object... }Mutation (any command that writes)
{ "result": {...}, "changed": true, "dryRun": false }Token-shaping flags
By default, list returns a curated summary projection. Override with:
| Flag | Effect |
|---|---|
--full | Return the raw API response with every field. |
--fields a,b,c.d | Keep only the specified dotted paths. |
--query '<gojq>' | Apply a gojq expression after field/summary projection. Takes precedence over --fields. |
Other format flags: --output json|yaml|ndjson|table|csv (default json). --limit N caps auto-paged lists (default 500).
Mutation safety
Every command that writes data:
- Accepts
--dry-runto print the would-be request payload without sending it. Always run this first to inspect what will change. - Requires
--yesto commit in non-interactive contexts. Without--yes, mutations exit with code 6 (NEEDS_CONFIRM). On a TTY, the CLI will prompt for confirmation instead. - Appends an RFC3339-timestamped entry to
~/.armoctl/audit.logfor every executed mutation. Override the path via$ARMOCTL_AUDIT_LOG.
Cluster surfaces
| Cluster | Read subcommands | Mutate subcommands |
|---|---|---|
incidents | list, alerts, severities | resolve |
vulns | cves, components, hosts, images, workloads, severity, scan, history, top, exceptions list | exceptions create, exceptions update, exceptions delete |
posture | controls, frameworks, resources, exceptions list | exceptions create, exceptions delete |
risks | list, resources, severities, exceptions list | exceptions create, exceptions update, exceptions delete |
attack-chains | list | — |
inventory | list, unique-values | — |
network-policies | list | generate |
seccomp | list | generate |
runtime-rules | list, get, evaluate | create, update, delete |
runtime-policies | list | create, update |
integrations | jira projects, jira issue-types, jira fields | jira create-ticket, alert-channels create, siem create, unlink |
cloud-accounts | ecs list | ecs connect, ecs disconnect |
repo-posture | repositories, files, resources, failed-controls | — |
For flag-level detail on any command, run armoctl <cluster> <subcommand> --help or consult the armoctl GitHub repository.
See also
- Claude Code plugin — natural-language access to ARMO via Claude
- Gemini CLI extension — natural-language access via Gemini
- ARMO OpenAPI — direct REST access
Updated about 2 hours ago