CLI
Fix Enterprise users can use fixctl to integrate Fix into their CI/CD pipelines, automate security checks, and more.
Installation
Direct Download
| OS | Architecture | Download |
|---|---|---|
| Linux | x86_64 | Download |
| Linux | arm64 | Download |
| macOS | Universal | Download |
| Windows | x86_64 | Download |
| Windows | arm64 | Download |
Once downloaded make the binary executable and move it to a directory in your PATH.
Using Homebrew
To install fixctl using Homebrew, run the following command:
$ brew install someengineering/tap/fixctl
Usage
fixctl allows you to search the Fix Security Graph and export cloud inventory data for further processing.
Usage:
fixctl [flags]
Flags:
--csv-headers string CSV headers (default "id,name,kind,/ancestors.cloud.reported.id,/ancestors.account.reported.id,/ancestors.region.reported.id")
--endpoint string API endpoint URL (env FIX_ENDPOINT) (default "https://app.fix.security")
--format string Output format: json, yaml or csv (default "json")
-h, --help help for fixctl
--search string Search string
--token string Auth token (env FIX_TOKEN)
--verbose enable verbose output
-v, --version version for fixctl
--with-edges Include edges in search results
--workspace string Workspace ID (env FIX_WORKSPACE)
Go to your user settings and create an API token. Set the FIX_TOKEN environment variable to the token value.
Then go to your workspace settings and export FIX_WORKSPACE to the workspace ID you want to query.
$ export FIX_TOKEN=fix_e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
$ export FIX_WORKSPACE=381cf723-65cb-469e-8d63-95d7c5249a8c
Examples
Search for orphaned AWS EBS volumes and output CSV format
Search for available AWS EBS volumes that have not been accessed in the last 7 days and output in CSV format.
$ fixctl --format csv --search "is(aws_ec2_volume) and volume_status = available and last_access > 7d"
vol-0adeedfc71dcbe9d5,ResotoEKS-dynamic-pvc-e575191f-d4f3-4253-96e4-399ded05bf14,aws_ec2_volume,aws,752466027617,eu-central-1
vol-0ae5f3fad85b7b3c6,vol-0ae5f3fad85b7b3c6,aws_ec2_volume,aws,625596817853,eu-central-1
vol-0fe068d91a8aaaced,ResotoEKS-dynamic-pvc-08ded29a-70c9-4d36-9d28-727140850d96,aws_ec2_volume,aws,752466027617,eu-central-1
Pass data to jq and generate AWS CLI commands
The default output format for fixctl is JSON. Here we search for the same orphaned volumes and use jq to format the output as aws ec2 delete-volume commands.
$ fixctl --search "is(aws_ec2_volume) and volume_status = available and last_access > 30d" | jq -r '. | "aws ec2 delete-volume --volume-id \(.reported.id) --region \(.ancestors.region.reported.id) --profile \(.ancestors.account.reported.id)"'
aws ec2 delete-volume --volume-id vol-0adeedfc71dcbe9d5 --region eu-central-1 --profile 752466027617
aws ec2 delete-volume --volume-id vol-0ae5f3fad85b7b3c6 --region eu-central-1 --profile 625596817853
aws ec2 delete-volume --volume-id vol-0fe068d91a8aaaced --region eu-central-1 --profile 752466027617
This output could be piped to a shell and executed directly or saved to a shellscript file for later use.
