command-reference.md

Command Reference

Dispatcher

safe run <args...>
safe audit <args...>
safe install [-g|--global] [--yes] <pkg> [...]
safe install --manager npm|pnpm|yarn|bun|composer -g [--yes] [--trust-host] <pkg> [...]
safe install --sandbox [--allow-scripts] <pkg> [...]
safe vendor update --name NAME --path PATH --reason TEXT -- COMMAND...
safe setup [<machine> | --all | --machine <csv>]
safe status
safe doctor [--json]
safe version
safe help

Unknown top-level commands are treated like safe run <args...>.

safe run

safe run [flags] <package>[@<version>] [-- args...]
safe run host-allow add <pkg>@<ver> [--reason "..."]
safe run host-allow update <pkg>@<new> [--reason "..."]
safe run host-allow remove <pkg>
safe run host-allow list
safe run block add <pkg> --reason "..."
safe run block remove <pkg>
safe run block list
safe run block import <url-or-file>
safe run audit [--blocked] [--since 24h]
safe run status
safe run link [--force]
safe run unlink
safe run install [-w -n] [--allow-scripts] <pkg>...

Runner flags:

--strict
-w, --write
-n, --network
-s, --allow-secrets
--node22
--py312
--proxy
-y, --yes
-h, --help
-v, --version

safe audit

safe audit capabilities [--json]
safe audit scan [--verbose] [--deps-only | --full] [--project <path>] [--all | --machine <csv>]
safe audit check <pkg>@<version> [--ecosystem <name>] [--json]
safe audit release github --repo OWNER/REPO --version TAG --asset NAME [--tag-regex REGEX] [--json]
safe audit vuln github-release --repo OWNER/REPO --version TAG [--json]
safe audit verify release-asset --artifact PATH --checksum PATH [--certificate PATH --signature PATH --certificate-identity-regexp REGEX --certificate-oidc-issuer URL] [--require-signature] [--json]
safe audit verify sigstore-bundle --artifact PATH --bundle PATH --identity VALUE --oidc-issuer URL [--json]
safe audit verify tuf-bootstrap --mirror PATH --root PATH --root-checksum SHA256 --target NAME=PATH [--target NAME=PATH ...] [--json]
safe audit binary exec PATH [--timeout SECONDS] [--json] -- [ARGS...]
safe audit ioc <identifier> [--all | --machine <csv>]
safe audit ioc --list <ioc.json> [--all | --machine <csv>]
safe audit ioc --update [--since <duration>] [--all | --machine <csv>]
safe audit setup [<machine> | --all | --machine <csv>] [--bundle <scanners.tar.gz|latest>]
safe audit setup --create-bundle [<scanners.tar.gz>]
safe audit diff [--all | --machine <csv>] [--since <duration>]
safe audit status
safe audit --version

safe audit setup detects existing scanner tools and can install scanners from an explicit local bundle. It does not download upstream release assets, run curl | sh, or run language package installers.

safe audit scan defaults to source mode: dependency manifests and lockfiles plus first-party source, while skipping installed dependency trees and generated output. Use --deps-only for manifests and lockfiles only, --full to scan the complete target tree, and --verbose to print project discovery, staged files, and scanner inputs.

Missing required scanners or audit tools for discovered project ecosystems stop the scan by default. If an interactive user explicitly continues, the missing tool coverage is reported as skipped and the verdict is WARN, not zero CVEs.

Vendor Updates

Package-manager wrappers cannot intercept binaries that update themselves from inside their own process. Use safe vendor update when deliberately running a vendor-native updater:

safe vendor update \
  --name codex \
  --path "$(command -v codex)" \
  --version-cmd "--version" \
  --reason "needed for a specific fixed bug" \
  --rollback "reinstall previous pinned version" \
  -- codex update

The command records before/after SHA-256 hashes, optional version output, the update command, exit code, reason, and rollback note in:

~/.local/share/safe/vendor/audit.log

This is an audit trail for native vendor binaries, not a registry vulnerability verdict. Prefer pinned target versions over latest when the vendor supports them.

This command does not automatically block in-app auto-updaters. If a tool can update itself while running, disable that tool's auto-update setting when possible and run deliberate updates through safe vendor update.

Install Wrapper Coverage

safe install -g <pkg> is the low-friction npm host-install path. It runs safe audit check for each explicit package, prompts before installing, and then forwards to npm install -g. Use --yes to skip the final prompt after a successful audit.

After a successful install of an exact npm version, interactive runs offer to add that exact package version to safe run host-allow. Use --trust-host to make that explicit in non-interactive workflows. latest, omitted versions, dist-tags, and ranges are never trusted.

Use --manager npm|pnpm|yarn|bun|composer or shortcut flags such as --yarn and --composer to translate -g:

safe install --pnpm -g cowsay@1.6.0
safe install --yarn -g typescript@5.0.0
safe install --bun -g cowsay@1.6.0
safe install --composer -g vendor/pkg:^1
safe install --trust-host -g cowsay@1.6.0

safe install --sandbox ... preserves the isolated safe run install workflow.

The zsh wrappers cover these command families:

npm, pnpm, yarn, bun
uv, pip, pip3
cargo
go
composer
volta

They run package checks for explicit package installs and project scans for lockfile or manifest based project operations.