sikker CLI

Package

@sikkerapi/cli

Version

0.3.0

Platforms

Linux, macOS, Windows (x64 + arm64)

License

MIT

IP threat intelligence from your terminal · GitHub · Back to Docs

Installation

Pre-built binaries are available for Linux, macOS, and Windows on both x64 and arm64 architectures. The CLI is distributed via npm with platform-specific optional dependencies.

npm (recommended)

$ npm install -g @sikkerapi/cli

Run without installing

$ npx @sikkerapi/cli check 1.2.3.4

Shell script

$ curl -fsSL https://raw.githubusercontent.com/SikkerAPIOfficial/sikkerapi-cli/refs/heads/main/scripts/install.sh | sh

Verify installation

$ sikker --version sikker version 0.3.0

Authentication

All commands require an API key. Create a free account to get one, then save it locally with sikker auth. Your key is stored at ~/.config/sikkerapi/config.json with 0600 permissions. The SIKKERAPI_KEY environment variable takes precedence over the saved config. See pricing for quota details on each plan.

Save your API key

$ sikker auth sk_free_abc123... API key saved.

Or use an environment variable

$ export SIKKERAPI_KEY=sk_free_abc123... $ sikker check 1.2.3.4

Commands

The CLI wraps the full SikkerAPI REST API into simple terminal commands. Every command supports --json for raw JSON output and --help for usage information.

sikker check <ip>

Look up an IP address against the IP Check API. Returns confidence score, attack history, protocols, geolocation, detected behaviors, and matched primitives. Output is color-coded by threat level.

Flags

--max-ageintMaximum data age in seconds (0 = no limit)

--protocolsstrComma-separated protocol filter (e.g. ssh,http)

--excludestrFields to exclude from the response

--ignore-whitelistboolIgnore whitelist discount

--fail-aboveintExit code 1 if confidence ≥ value (for CI/CD gates)

--verboseboolInclude detailed data (protocols, behaviors, primitives). Default: true

--jsonboolOutput raw JSON instead of formatted table

Example

$ sikker check 185.220.101.34 IP 185.220.101.34 Confidence 92 First seen 2025-11-03 Last seen 2 hours ago Sessions 1,847 Country DE Protocols SSH, HTTP, FTP Behaviors credential_stuffing (high, 12) · port_sweep (medium, 8) Quota 945 / 1000 remaining (resets in 16h 11m)

sikker blacklist

Download a scored IP blacklist with flexible filtering. Use --plaintext to output bare IPs (one per line) for piping directly to firewalls or ipset.

Flags

--score-minintMinimum confidence score, 1–100 (default: 50)

--limitintMaximum number of IPs (default: 10, 0 = unlimited)

--plaintextboolOne IP per line for piping to firewalls

--only-countriesstrComma-separated ISO country codes to include

--except-countriesstrComma-separated ISO country codes to exclude

--ip-versionstrIP version: 4, 6, or mixed

--protocolsstrComma-separated protocol filter

--min-severitystrMinimum behavior severity: low, medium, high, or very_high

--only-asnstrComma-separated ASNs to include

--except-asnstrComma-separated ASNs to exclude

--ignore-whitelistboolIgnore whitelist discount

--jsonboolOutput raw JSON

Example

$ sikker blacklist --score-min 75 --limit 5 Generated: 2m ago — Score ≥ 75 — Count: 5 IP SCORE LAST SEEN COUNTRY PROTOCOLS ─────────────────────────────────────────────────────────── 185.220.101.34 92 2h ago DE SSH, HTTP 45.148.10.174 88 5h ago NL SSH 193.42.33.12 81 1d ago RU SSH, FTP ...

sikker report <ip>

Submit an abuse report for a single IP. Requires a category (by name or number 1–16). Reports are factored into the confidence score for the reported IP.

Flags

--categorystrAttack category (required) — name or number 1–16

--protocolstrProtocol involved (e.g. ssh, http, ftp)

--commentstrFree text, max 1000 characters

--jsonboolOutput raw JSON

sikker bulk-report <file>

Submit reports in bulk from a CSV or JSON file. Auto-detects format from file extension. Up to 10,000 reports per file (max 2 MB). You can also use the bulk reporter on the website.

CSV format

$ sikker bulk-report reports.csv # CSV format (header optional): IP,Category,Protocol,Comment 1.2.3.4,brute_force,ssh,Repeated login attempts 5.6.7.8,3,http,

JSON format

$ sikker bulk-report reports.json # JSON format: { "reports": [ { "ip": "1.2.3.4", "category": "brute_force", "protocol": "ssh" }, { "ip": "5.6.7.8", "category": 3 } ] }

sikker taxii

Query TAXII 2.1 / STIX 2.1 threat intelligence feeds. Two subcommands: list fetches STIX indicators from a collection, get retrieves the indicator for a specific IP.

taxii list — flags

--limitintMaximum number of objects (0 = no limit)

--offsetintPagination offset

--added-afterstrISO 8601 timestamp filter

--collectionstrTAXII collection ID (default: sikker-threat-intel)

--jsonboolOutput raw JSON

taxii get <ip> — flags

--collectionstrTAXII collection ID (default: sikker-threat-intel)

--jsonboolOutput raw JSON

Example

$ sikker taxii list --limit 3 STIX Bundle — 3 object(s) [1] indicator — 185.220.101.34 Pattern: [ipv4-addr:value = '185.220.101.34'] Labels: malicious-activity $ sikker taxii get 185.220.101.34 --json

sikker username <username>

Look up brute-force attack patterns for a specific username. Returns total sessions observed, protocol breakdown, and first/last seen timestamps. Explore the most targeted usernames on the username explorer.

Example

$ sikker username root "root" — 1,260,789 sessions First seen Jan 15, 2026 Last seen 2m ago Protocols SSH (1,200,000) · TELNET (45,000) · FTP (15,789)

sikker email <email>

Look up an SMTP recipient email address in the attack database. Returns total messages observed and first/last seen timestamps.

Example

$ sikker email [email protected] "[email protected]" — 4,521 messages First seen Feb 03, 2026 Last seen 6h ago

sikker bulk-check <file>

Check multiple IPs at once from a text or CSV file. Accepts one IP per line, max 10,000 IPs per request. Results are printed to the terminal (first 30 found) and written to a CSV file.

Flags

-o, --outputstrOutput CSV file path (default: bulk-check-<timestamp>.csv)

--jsonboolOutput raw JSON

Example

$ sikker bulk-check ips.txt Checking 500 IPs... Queried: 500 Found: 12 IP SCORE COUNTRY LAST SEEN ─────────────────────────────────────────────────────── 185.220.101.34 92 DE 2h ago 45.148.10.174 88 NL 5h ago ... Full results written to: bulk-check-2026-03-21-143052.csv

Alerts

Set up alerts to be notified when monitored IPs, CIDR ranges, usernames, or email addresses appear in attack data. Each alert command supports list and delete subcommands, and -l to add a label. Alert limits are enforced based on your subscription tier.

sikker ip-alert [ip]

Monitor individual IP addresses. You'll be notified when a monitored IP appears in new attack data.

Example

$ sikker ip-alert 1.2.3.4 -l "production server" Alert created for 1.2.3.4 (production server) ID: a1b2c3d4-... $ sikker ip-alert list $ sikker ip-alert delete <alert-id>

sikker cidr-alert [cidr]

Monitor entire CIDR ranges. When any IP in the range appears in attack data, you'll be notified. Minimum prefix length depends on your plan.

Example

$ sikker cidr-alert 10.0.0.0/24 -l "office network" Alert created for 10.0.0.0/24 (office network) ID: e5f6a7b8-... $ sikker cidr-alert list $ sikker cidr-alert delete <alert-id>

sikker username-alert [username]

Monitor brute-force usernames. Get notified when a username you're tracking appears in new attack sessions.

Example

$ sikker username-alert deploy -l "CI/CD user" Alert created for "deploy" (CI/CD user) ID: c9d0e1f2-... $ sikker username-alert list $ sikker username-alert delete <alert-id>

sikker email-alert [email]

Monitor SMTP recipient email addresses. Get notified when a monitored email appears as a target in honeypot SMTP attacks.

Example

$ sikker email-alert [email protected] -l "ops inbox" Alert created for "[email protected]" (ops inbox) ID: f3a4b5c6-... $ sikker email-alert list $ sikker email-alert delete <alert-id>

sikker auth <api-key>

Save your API key locally. The key must start with sk_ and is stored at ~/.config/sikkerapi/config.json with 0600 permissions. The masked key is displayed on success.

Example

$ sikker auth sk_free_abc123def456 API key saved: sk_fre...f456

Automation

The CLI is designed for scripting and automation. Use --plaintext, --json, and --fail-above to integrate with CI/CD pipelines, cron jobs, and firewalls. See our Fail2Ban, CSF, Nginx, and iptables integration guides for more options.

CI/CD gate — block if score ≥ 50

#!/bin/bash sikker check $DEPLOY_IP --fail-above 50 \ || { echo "Blocked: suspicious source IP"; exit 1; }

Cron — update blocklist every hour

# crontab -e 0 * * * * sikker blacklist \ --score-min 80 \ --plaintext > /etc/blocklist.txt

Pipe to iptables

$ sikker blacklist \ --score-min 90 \ --plaintext \ | while read ip; do iptables -A INPUT -s $ip -j DROP done

ipset bulk load

$ ipset create sikker hash:ip $ sikker blacklist \ --score-min 75 \ --plaintext \ | while read ip; do ipset add sikker $ip done

Environment Variables

Environment variables override saved config values. Useful for CI/CD pipelines, Docker containers, and multi-key setups.

Variables

SIKKERAPI_KEYstrAPI key (overrides saved config)

SIKKERAPI_URLstrBase URL override (default: https://api.sikkerapi.com)

NO_COLORanyIf set, disables colored output

GitHub Actions example

# .github/workflows/deploy.yml env: SIKKERAPI_KEY: ${{ secrets.SIKKERAPI_KEY }} steps: - run: | sikker check $IP --fail-above 50

Open source — the CLI is MIT licensed. View the source on GitHub or install from npm. Get a free API key to start using it. Create free account →

sikker CLI

Package

@sikkerapi/cli

Version

0.3.0

Platforms

Linux, macOS, Windows (x64 + arm64)

License

MIT

IP threat intelligence from your terminal · GitHub · Back to Docs

Installation

Pre-built binaries are available for Linux, macOS, and Windows on both x64 and arm64 architectures. The CLI is distributed via npm with platform-specific optional dependencies.

npm (recommended)

$ npm install -g @sikkerapi/cli

Run without installing

$ npx @sikkerapi/cli check 1.2.3.4

Shell script

$ curl -fsSL https://raw.githubusercontent.com/SikkerAPIOfficial/sikkerapi-cli/refs/heads/main/scripts/install.sh | sh

Verify installation

$ sikker --version sikker version 0.3.0

Authentication

Save your API key

$ sikker auth sk_free_abc123... API key saved.

Or use an environment variable

$ export SIKKERAPI_KEY=sk_free_abc123... $ sikker check 1.2.3.4

Commands

The CLI wraps the full SikkerAPI REST API into simple terminal commands. Every command supports --json for raw JSON output and --help for usage information.

sikker check <ip>

Look up an IP address against the IP Check API. Returns confidence score, attack history, protocols, geolocation, detected behaviors, and matched primitives. Output is color-coded by threat level.

Flags

--max-ageintMaximum data age in seconds (0 = no limit)

--protocolsstrComma-separated protocol filter (e.g. ssh,http)

--excludestrFields to exclude from the response

--ignore-whitelistboolIgnore whitelist discount

--fail-aboveintExit code 1 if confidence ≥ value (for CI/CD gates)

--verboseboolInclude detailed data (protocols, behaviors, primitives). Default: true

--jsonboolOutput raw JSON instead of formatted table

Example

sikker blacklist

Download a scored IP blacklist with flexible filtering. Use --plaintext to output bare IPs (one per line) for piping directly to firewalls or ipset.

Flags

--score-minintMinimum confidence score, 1–100 (default: 50)

--limitintMaximum number of IPs (default: 10, 0 = unlimited)

--plaintextboolOne IP per line for piping to firewalls

--only-countriesstrComma-separated ISO country codes to include

--except-countriesstrComma-separated ISO country codes to exclude

--ip-versionstrIP version: 4, 6, or mixed

--protocolsstrComma-separated protocol filter

--min-severitystrMinimum behavior severity: low, medium, high, or very_high

--only-asnstrComma-separated ASNs to include

--except-asnstrComma-separated ASNs to exclude

--ignore-whitelistboolIgnore whitelist discount

--jsonboolOutput raw JSON

Example

sikker report <ip>

Submit an abuse report for a single IP. Requires a category (by name or number 1–16). Reports are factored into the confidence score for the reported IP.

Flags

--categorystrAttack category (required) — name or number 1–16

--protocolstrProtocol involved (e.g. ssh, http, ftp)

--commentstrFree text, max 1000 characters

--jsonboolOutput raw JSON

sikker bulk-report <file>

Submit reports in bulk from a CSV or JSON file. Auto-detects format from file extension. Up to 10,000 reports per file (max 2 MB). You can also use the bulk reporter on the website.

CSV format

$ sikker bulk-report reports.csv # CSV format (header optional): IP,Category,Protocol,Comment 1.2.3.4,brute_force,ssh,Repeated login attempts 5.6.7.8,3,http,

JSON format

$ sikker bulk-report reports.json # JSON format: { "reports": [ { "ip": "1.2.3.4", "category": "brute_force", "protocol": "ssh" }, { "ip": "5.6.7.8", "category": 3 } ] }

sikker taxii

Query TAXII 2.1 / STIX 2.1 threat intelligence feeds. Two subcommands: list fetches STIX indicators from a collection, get retrieves the indicator for a specific IP.

taxii list — flags

--limitintMaximum number of objects (0 = no limit)

--offsetintPagination offset

--added-afterstrISO 8601 timestamp filter

--collectionstrTAXII collection ID (default: sikker-threat-intel)

--jsonboolOutput raw JSON

taxii get <ip> — flags

--collectionstrTAXII collection ID (default: sikker-threat-intel)

--jsonboolOutput raw JSON

Example

sikker username <username>

Example

$ sikker username root "root" — 1,260,789 sessions First seen Jan 15, 2026 Last seen 2m ago Protocols SSH (1,200,000) · TELNET (45,000) · FTP (15,789)

sikker email <email>

Look up an SMTP recipient email address in the attack database. Returns total messages observed and first/last seen timestamps.

Example

$ sikker email [email protected] "[email protected]" — 4,521 messages First seen Feb 03, 2026 Last seen 6h ago

sikker bulk-check <file>

Check multiple IPs at once from a text or CSV file. Accepts one IP per line, max 10,000 IPs per request. Results are printed to the terminal (first 30 found) and written to a CSV file.

Flags

-o, --outputstrOutput CSV file path (default: bulk-check-<timestamp>.csv)

--jsonboolOutput raw JSON

Example

Alerts

sikker ip-alert [ip]

Monitor individual IP addresses. You'll be notified when a monitored IP appears in new attack data.

Example

$ sikker ip-alert 1.2.3.4 -l "production server" Alert created for 1.2.3.4 (production server) ID: a1b2c3d4-... $ sikker ip-alert list $ sikker ip-alert delete <alert-id>

sikker cidr-alert [cidr]

Monitor entire CIDR ranges. When any IP in the range appears in attack data, you'll be notified. Minimum prefix length depends on your plan.

Example

$ sikker cidr-alert 10.0.0.0/24 -l "office network" Alert created for 10.0.0.0/24 (office network) ID: e5f6a7b8-... $ sikker cidr-alert list $ sikker cidr-alert delete <alert-id>

sikker username-alert [username]

Monitor brute-force usernames. Get notified when a username you're tracking appears in new attack sessions.

Example

$ sikker username-alert deploy -l "CI/CD user" Alert created for "deploy" (CI/CD user) ID: c9d0e1f2-... $ sikker username-alert list $ sikker username-alert delete <alert-id>

sikker email-alert [email]

Monitor SMTP recipient email addresses. Get notified when a monitored email appears as a target in honeypot SMTP attacks.

Example

$ sikker email-alert [email protected] -l "ops inbox" Alert created for "[email protected]" (ops inbox) ID: f3a4b5c6-... $ sikker email-alert list $ sikker email-alert delete <alert-id>

sikker auth <api-key>

Save your API key locally. The key must start with sk_ and is stored at ~/.config/sikkerapi/config.json with 0600 permissions. The masked key is displayed on success.

Example

$ sikker auth sk_free_abc123def456 API key saved: sk_fre...f456

Automation

CI/CD gate — block if score ≥ 50

#!/bin/bash sikker check $DEPLOY_IP --fail-above 50 \ || { echo "Blocked: suspicious source IP"; exit 1; }

Cron — update blocklist every hour

# crontab -e 0 * * * * sikker blacklist \ --score-min 80 \ --plaintext > /etc/blocklist.txt

Pipe to iptables

$ sikker blacklist \ --score-min 90 \ --plaintext \ | while read ip; do iptables -A INPUT -s $ip -j DROP done

ipset bulk load

$ ipset create sikker hash:ip $ sikker blacklist \ --score-min 75 \ --plaintext \ | while read ip; do ipset add sikker $ip done

Environment Variables

Environment variables override saved config values. Useful for CI/CD pipelines, Docker containers, and multi-key setups.

Variables

SIKKERAPI_KEYstrAPI key (overrides saved config)

SIKKERAPI_URLstrBase URL override (default: https://api.sikkerapi.com)

NO_COLORanyIf set, disables colored output

GitHub Actions example

# .github/workflows/deploy.yml env: SIKKERAPI_KEY: ${{ secrets.SIKKERAPI_KEY }} steps: - run: | sikker check $IP --fail-above 50

Open source — the CLI is MIT licensed. View the source on GitHub or install from npm. Get a free API key to start using it. Create free account →