Skip to content
Cisco AI Defense logo
CiscoAI Security

Automation — DefenseClaw

Overview

Both DefenseClaw CLIs can be scripted, but flags are command-specific. Use the generated command pages as the contract: if a page does not list --json, --yes, or another automation flag, do not assume it exists.

CI preflight

Run this before starting a build to fail fast on missing prerequisites:

#!/usr/bin/env bash
set -euo pipefail
defenseclaw version --json > version.json
defenseclaw keys check
defenseclaw config validate --quiet
defenseclaw doctor --json-output > doctor.json
ExitCause
0All preconditions satisfied
non-zeroThe failing command prints the failing subsystem or validation error

Gate a build on scanner verdicts

defenseclaw-gateway scan code ./src --json > scan.json
high_findings=$(jq '[.findings[] | select(.severity=="high" or .severity=="critical")] | length' scan.json)
if [[ "$high_findings" -gt 0 ]]; then
  jq -r '.findings[] | "\(.severity) \(.rule_id) \(.path):\(.line_number)"' scan.json
  exit 1
fi

Gate admission on skill / MCP review

defenseclaw skill scan --all --json | \
  jq -e '[.results[] | select(.verdict=="block")] | length == 0'

Exit 1 whenever any skill would be admission-blocked. Useful as a CI gate before merging a new skill into your allow-list.

Run scans in a scheduled job

# /etc/cron.d/defenseclaw-periodic-scan
0 */6 * * *  svc-defenseclaw  /usr/local/bin/defenseclaw skill scan --all --json \
             | /usr/local/bin/curl -H "Authorization: Bearer $HEC" --data-binary @- \
                 https://hec.corp.example.com:8088/services/collector/event

In practice you'd attach a Splunk HEC sink via defenseclaw setup observability instead; this is the escape hatch when you need a custom relay.

Propagate correlation IDs

Every request the CLI sends carries X-DefenseClaw-Correlation-Id. You can supply your own so build traces end-to-end:

export DEFENSECLAW_CORRELATION_ID="ci-$GITHUB_RUN_ID"
defenseclaw skill scan --all --json

Downstream: every audit row, webhook payload, and OpenTelemetry span for that run shares the same ID.

Block on sidecar health in scripts

for i in $(seq 1 30); do
  if defenseclaw-gateway status >/dev/null; then
    break
  fi
  sleep 1
done

Idempotent config changes

desired=$(yq . ./desired-config.yaml)
current=$(defenseclaw config show --format json)
if [[ "$desired" != "$current" ]]; then
  defenseclaw config path
  exit 1
fi

The current CLI validates and prints config; it does not expose a generic config apply command. Use the setup commands for supported mutations.

Related