Taco CLI
Scan for CVEs and generate SBOMs from your terminal โ free, no account needed. When you're ready for continuous monitoring, the platform is waiting.
What Taco CLI does
Real security tooling, zero friction
No sign-up, no telemetry, no cloud dependency. Install it, run it, get results.
CVE Scanning
Point Taco CLI at any directory, container image, or lockfile and get an immediate CVE report. Results pull from NVD, OSV, and GitHub Advisories โ all three, every scan.
SBOM Generation
Generate a CycloneDX or SPDX-compliant Software Bill of Materials from your project in seconds. Covers npm, pip, Go modules, Maven, Cargo, RubyGems, and more.
CI/CD Integration
Add a scan step to any pipeline. Use --fail-on to gate deployments on severity โ block on critical, warn on high, pass on medium. No account, no API key, no vendor lock-in.
Multiple Output Formats
Get results as a human-readable table, machine-parseable JSON, or SARIF for direct upload to GitHub Code Scanning, Semgrep, or any SAST dashboard.
Taco CLI โ Free forever
Everything you need to get started
- CVE scanning โ local, unlimited scans
- SBOM generation (CycloneDX + SPDX)
- Table, JSON, and SARIF output
- CI/CD exit code control (--fail-on)
- No account required, no telemetry
- MIT licensed, forever free
The blind spot
Point-in-time vs. continuous
Every gap between CLI scans is a window where a new CVE can land undetected. The platform closes that window permanently.
CLI only
CVEs published between scans stay invisible until someone remembers to run the next scan โ which may be days or weeks away.
Platform
Every new CVE is matched against your live SBOM inventory the moment it's published. You get an alert, not a surprise.
Platform only
What you're missing without the platform
The CLI tells you what's wrong right now. The platform tells you what went wrong last night, which team owns it, and whether it's been fixed.
Continuous Monitoring
CLI scans are snapshots. The platform watches your entire fleet 24/7 and alerts you the moment a new CVE is published against a dependency you're already running โ not the next time you remember to scan.
Real-Time CVE Alerts
When Log4Shell dropped, teams without monitoring scrambled for days. Platform users got a push notification within minutes listing every affected deployment by name.
Team Dashboards & History
The CLI shows you what's vulnerable now. The platform shows you what was vulnerable last month, whether it got fixed, who fixed it, and which team still has open findings from 90 days ago.
EPSS-Weighted Risk Scoring
Not all CVEs are equal. The platform combines CVSS with EPSS exploit-probability scores and your actual reachability data โ so you fix the 3 CVEs that matter instead of triaging 300.
Multi-Team Governance
Assign findings to teams, set SLA policies per severity, track remediation rates, and escalate overdue items automatically. The CLI can't do org-level accountability.
Secret Detection
API keys, tokens, and credentials baked into container images or committed to source โ the platform catches them continuously across every build, not just when you remember to run a scan.
CIS Benchmark Validation
Continuous CIS scoring for Linux, Kubernetes, Windows, and Docker โ with drift detection that alerts you when a node falls out of compliance between audits.
Compliance Reports
One-click SOC 2, NIS2, and ISO 27001 evidence packages built from your real posture data โ not a checklist you filled in by hand.
Integrations
Slack alerts, PagerDuty escalations, Jira ticket creation, GitHub PR comments, and Webhook support. The CLI outputs to stdout. The platform routes findings to wherever your team actually works.
See It In Action
From CLI to continuous coverage.
Mean time to remediate
Faster response, less exposure
Continuous alerting and risk-ranked backlogs cut remediation time dramatically. Every hour of exposure is a window attackers can use.
Full breakdown
CLI vs Platform
Every feature, side by side. No asterisks.
| Feature | CLIFree ยท MIT | PlatformPaid ยท Full coverage |
|---|---|---|
| Scanning | ||
| CVE scanning | Local / CI | Continuous |
| SBOM generation | CycloneDX + SPDX | Versioned + queryable |
| Secret detection | Basic, local | All builds, all time |
| Container image scanning | Manual | Registry-wide, automatic |
| CIS benchmark checks | Linux, K8s, Windows | |
| Monitoring | ||
| Continuous monitoring | 24/7, every asset | |
| New CVE alerts | < 1hr from NVD publish | |
| Compliance drift detection | Alerts on config change | |
| SBOM drift tracking | Version-over-version diff | |
| Prioritisation | ||
| CVSS scoring | ||
| EPSS exploit-probability | Daily updated scores | |
| Reachability analysis | Context-aware risk | |
| Risk-ranked backlog | Actionable priority queue | |
| Workflows | ||
| Team assignment | ||
| SLA tracking per severity | ||
| Slack / PagerDuty / Jira | ||
| GitHub PR comments | ||
| Compliance | ||
| SOC 2 evidence package | ||
| NIS2 compliance reports | ||
| Audit-ready SBOM export | Manual export only | Auto, versioned, signed |
| Access | ||
| No account required | ||
| MIT licensed | ||
| Self-hosted / offline | ||
The next Log4Shell won't wait for your next scan.
New CVEs drop every day. Without continuous monitoring, you find out when something breaks โ not when something is exposed.
The natural next step
Start with the CLI. Graduate to the platform.
Taco CLI gives you an honest, immediate picture of your exposure โ locally, in CI, with zero overhead. Most teams start here.
When a CVE drops on a Friday night, "run a scan in the morning" isn't good enough. The Taco platform runs continuously, surfaces new exposure automatically, and routes findings to the right team before the weekend is over. That's the gap the platform closes.