Safeguard CLI v5 is here. This is a ground-up rewrite of our command-line tool, and it changes how you interact with Safeguard in your terminal and CI/CD pipelines.
The headline numbers: SBOM generation is 10x faster for large projects. Vulnerability scanning completes in seconds rather than minutes. Memory usage is down 70%. And the new plugin architecture means you can extend the CLI for your specific needs.
Let me walk through what changed and why.
Why a Rewrite
The original Safeguard CLI was built in Node.js. It worked well for small to medium projects, but it hit performance walls for large monorepos. A project with 10,000 dependencies took over two minutes to scan. In CI/CD pipelines where every second counts, that was too slow.
We also hit architectural limits. Adding new scanning capabilities (binary analysis, container scanning, license detection) meant bolting on more code to a system that was not designed for extensibility. Each new feature made the codebase harder to maintain and the CLI slower to start.
v5 is written in Rust with a plugin system that keeps the core lean while allowing capabilities to be added modularly.
What Is New
10x Faster Scanning
The Rust rewrite delivers dramatic performance improvements:
| Operation | CLI v4 | CLI v5 | Improvement | |-----------|--------|--------|-------------| | SBOM generation (1000 deps) | 12.3s | 1.1s | 11x | | SBOM generation (10000 deps) | 127s | 9.8s | 13x | | Vulnerability scan | 8.4s | 0.9s | 9x | | Policy gate check | 3.2s | 0.3s | 11x | | CLI startup | 1.8s | 0.05s | 36x |
The performance gains come from three sources: Rust's inherent performance advantage for CPU-bound work, parallel dependency graph resolution, and a local vulnerability database cache that eliminates network roundtrips for repeated scans.
Plugin Architecture
The CLI core handles authentication, configuration, and output formatting. Everything else is a plugin:
# List installed plugins
safeguard plugin list
# Install a plugin
safeguard plugin install sbom-java
safeguard plugin install vuln-osv
safeguard plugin install license-scanner
# Use the plugin
safeguard scan --plugin sbom-java ./my-java-project
Built-in plugins (included with the CLI):
sbom-core-- SBOM generation for Node.js, Python, Go, Rust, Rubyvuln-core-- Vulnerability scanning against NVD and OSVpolicy-core-- Policy gate evaluationguardrails-core-- Guardrails enforcement
Available plugins (install as needed):
sbom-java-- Enhanced Java/Maven/Gradle SBOM generationsbom-dotnet-- .NET/NuGet SBOM generationsbom-container-- Container image SBOM generationsbom-binary-- Binary analysis for compiled artifactsvuln-ghsa-- GitHub Advisory Database integrationlicense-scanner-- Deep license detection including file-level scanningreporter-sarif-- SARIF output for GitHub Code Scanning integrationreporter-gitlab-- GitLab Security Report format output
Native CI/CD Integration
v5 includes first-class support for major CI/CD platforms:
GitHub Actions:
- name: Safeguard Scan
uses: safeguard-sh/cli-action@v5
with:
command: scan
fail-on: critical
upload-sbom: true
The GitHub Action automatically detects the project type, generates an SBOM, runs vulnerability scanning, checks policy gates and guardrails, and fails the build if blocking issues are found. Results appear as GitHub Check annotations on the PR.
GitLab CI:
safeguard-scan:
image: safeguard/cli:v5
script:
- safeguard scan --format gitlab-security
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
Jenkins, CircleCI, Azure DevOps: Supported through the standard CLI. Run safeguard scan in any pipeline that can execute a binary.
SBOM Diff in CI
One of the most requested CI features: SBOM diff as a PR check. When a PR changes dependencies, the CLI generates a diff showing exactly what changed and what the security implications are.
# Compare current branch SBOM against main branch
safeguard diff --base main --head HEAD
Output includes:
- New dependencies added (with vulnerability and license summary)
- Dependencies removed
- Version changes (with vulnerability delta -- did the upgrade fix CVEs? introduce new ones?)
- License changes
- Guardrail impact (will this change trigger any guardrail violations?)
In GitHub Actions, this output appears as a PR comment, giving reviewers immediate visibility into the supply chain impact of the change.
Offline Mode
v5 supports fully offline operation for air-gapped environments. Download the vulnerability database once, and the CLI can scan without network access:
# Download vulnerability database
safeguard db download --output ./vuln-db
# Scan offline
safeguard scan --offline --db ./vuln-db
The offline database includes NVD, OSV, and GHSA data. Update it periodically by running the download command on a connected machine and transferring the file.
Improved Output Formats
v5 supports multiple output formats:
# Human-readable table (default for TTY)
safeguard scan
# JSON (default for non-TTY, piping)
safeguard scan --format json
# SARIF (for GitHub Code Scanning)
safeguard scan --format sarif
# GitLab Security Report
safeguard scan --format gitlab-security
# Markdown (for PR comments)
safeguard scan --format markdown
# CSV (for spreadsheet warriors)
safeguard scan --format csv
Upgrading from v4
The v5 CLI is backward compatible with v4 configuration files. Your existing .safeguard.yml configuration works without changes.
# Install v5
npm install -g @safeguard/cli@5
# Or download the binary directly (faster, no Node.js required)
curl -fsSL https://cli.safeguard.sh/install.sh | sh
# Verify installation
safeguard --version
# safeguard 5.0.0
# Migrate any v4-specific configuration
safeguard migrate-config
The binary distribution is the recommended installation method for v5. It is a single static binary with no runtime dependencies -- no Node.js, no Python, no Docker required.
Breaking Changes
A few breaking changes from v4:
- The
--output-formatflag is now--format - The
scan --typeflag is replaced by the plugin system (--plugin sbom-javainstead of--type java) - JSON output structure has changed to align with CycloneDX 1.6 (use
--format json-v4for backward compatibility during migration) - The
safeguard uploadcommand is nowsafeguard sbom push
How Safeguard.sh Helps
The Safeguard CLI v5 is the fastest way to integrate supply chain security into your development workflow and CI/CD pipeline. Generate SBOMs in seconds, scan for vulnerabilities in milliseconds, enforce Guardrails automatically, and get actionable results in your terminal, PR comments, or CI reports. Combined with the MCP Server and Desktop App, the CLI completes the Safeguard toolkit -- supply chain security everywhere you work, at the speed you work. Install it today at safeguard.sh/cli.