sikker CLI

IP threat intelligence from your terminal · Back to API Docs

Overview

The sikker CLI is the official command-line tool for SikkerAPI. It wraps the full REST API into simple terminal commands for sysadmins, security engineers, and DevOps teams.

What you can do

•Check IP reputation with confidence scores and attack history
•Download blacklists filtered by country, protocol, ASN, or severity
•Report malicious IPs individually or in bulk from CSV/JSON
•Query TAXII/STIX feeds for threat intelligence integration
•Automate firewall rules with --plaintext and --fail-above flags

Quick demo

$ sikker check 185.220.101.34

  IP            185.220.101.34
  Confidence    92
  First seen    2025-11-03
  Last seen     2 hours ago
  Sessions      1,847
  Country       DE
  Protocols     SSH, HTTP, FTP

$ sikker blacklist --score-min 75 --limit 5

  IP                  SCORE   LAST SEEN       COUNTRY   PROTOCOLS
  185.220.101.34      92      2h ago          DE        SSH, HTTP
  45.148.10.174       88      5h ago          NL        SSH
  ...

$ sikker report 5.6.7.8 --category brute_force
  Report submitted successfully.

Installation

Pre-built binaries are available for Linux, macOS, and Windows on both x64 and arm64 architectures. Choose your preferred install method.

npm (recommended)

The easiest way to install. Automatically downloads the correct binary for your platform. Available on npmjs.com.

Run without installing

Use npx to run a single command without a global install.

npm (recommended)

$ npm install -g @sikkerapi/cli

Run without installing

$ npx @sikkerapi/cli check 1.2.3.4

Verify installation

$ sikker --version
sikker version 0.2.4

Authentication

All commands require an API key. Get a free key by creating an account, then save it locally.

Your key is stored at ~/.config/sikkerapi/config.json. You can also set the SIKKERAPI_KEY environment variable instead, which takes precedence over the saved config.

Check pricing for quota details on each plan. Free keys include 100 lookups, 50 reports, and 10,000 blacklist IPs per day.

Save your API key

$ sikker auth sk_free_abc123...
  API key saved.

Or use an environment variable

$ export SIKKERAPI_KEY=sk_free_abc123...
$ sikker check 1.2.3.4

Commands

sikker check <ip>

Look up an IP address against the SikkerAPI threat intelligence database. Returns confidence score, attack history, protocols, geolocation, and detected behaviors.

Flag	Description
--max-age	Maximum data age in seconds
--protocols	Comma-separated protocol filter
--fail-above	Exit code 1 if confidence ≥ value (for automation)
--json	Output raw JSON

sikker blacklist

Download a scored IP blacklist. Supports filtering by country, protocol, ASN, severity, and IP version. Use --plaintext for firewall-ready output.

Flag	Description
--score-min	Minimum confidence score (1-100, default 50)
--limit	Maximum number of IPs
--plaintext	One IP per line (for piping to firewalls)
--only-countries	Comma-separated ISO country codes to include
--protocols	Comma-separated protocol filter
--min-severity	low, medium, high, or very_high
--json	Output raw JSON

sikker report <ip>

Submit an abuse report for a single IP. Choose from 16 attack categories.

Flag	Description
--category	Attack category (required) — name or number
--protocol	Protocol (e.g. ssh, http)
--comment	Free text, max 1000 characters

sikker bulk-report <file>

Submit reports in bulk from a CSV or JSON file. Up to 10,000 reports per file (max 2MB).

sikker taxii list / get

Query TAXII 2.1 / STIX threat intelligence feeds. List STIX indicators or look up a specific IP as a STIX object.

Check an IP

$ sikker check 1.2.3.4
$ sikker check 1.2.3.4 --json
$ sikker check 1.2.3.4 --fail-above 50

Download blacklist

$ sikker blacklist --score-min 75 --limit 1000
$ sikker blacklist --plaintext > blocklist.txt
$ sikker blacklist --protocols ssh --only-countries US,CN

Report abuse

$ sikker report 5.6.7.8 \
    --category brute_force \
    --protocol ssh

Bulk report from CSV

$ sikker bulk-report reports.csv

# CSV format:
# IP,Category,Protocol,Comment
# 1.2.3.4,brute_force,ssh,Attack

TAXII feed

$ sikker taxii list --limit 100
$ sikker taxii get 1.2.3.4 --json

Automation

The CLI is designed for scripting and automation. Use --plaintext, --json, and --fail-above to integrate with your existing infrastructure.

CI/CD gate

Block deployments from known malicious sources. The --fail-above flag returns exit code 1 when the confidence score meets or exceeds your threshold.

Cron blacklist updates

Keep your firewall blocklists fresh with a cron job. The --plaintext flag outputs bare IPs, one per line.

Firewall integration

Pipe blacklist output directly to iptables or ipset. See our Fail2Ban, CSF, and Nginx integration guides for more options.

CI/CD gate — block if score >= 50

#!/bin/bash
sikker check $DEPLOY_IP --fail-above 50 \
  || { echo "Blocked: suspicious source IP"; exit 1; }

Cron — update blocklist every hour

# crontab -e
0 * * * * sikker blacklist \
  --score-min 80 \
  --plaintext > /etc/blocklist.txt

Pipe to iptables

$ sikker blacklist \
    --score-min 90 \
    --plaintext \
  | while read ip; do
      iptables -A INPUT -s $ip -j DROP
    done

ipset bulk load

$ ipset create sikker hash:ip
$ sikker blacklist \
    --score-min 75 \
    --plaintext \
  | while read ip; do
      ipset add sikker $ip
    done

Environment Variables

Environment variables override saved config values. Useful for CI/CD pipelines, Docker containers, and multi-key setups.

Variable	Description
SIKKERAPI_KEY	API key (overrides saved config)
SIKKERAPI_URL	Base URL override (default: https://api.sikkerapi.com)
NO_COLOR	Disable colored output

Open source — the CLI is MIT licensed. Install from npm or view the package details on npmjs.com.

Docker / CI example

# GitHub Actions
env:
  SIKKERAPI_KEY: ${{ secrets.SIKKERAPI_KEY }}

steps:
  - run: |
      sikker check $IP --fail-above 50

Disable color for log files

$ NO_COLOR=1 sikker blacklist \
    --score-min 80 >> /var/log/blocklist.log

Overview

The sikker CLI is the official command-line tool for SikkerAPI. It wraps the full REST API into simple terminal commands for sysadmins, security engineers, and DevOps teams.

What you can do

•Check IP reputation with confidence scores and attack history
•Download blacklists filtered by country, protocol, ASN, or severity
•Report malicious IPs individually or in bulk from CSV/JSON
•Query TAXII/STIX feeds for threat intelligence integration
•Automate firewall rules with --plaintext and --fail-above flags

Quick demo

$ sikker check 185.220.101.34

  IP            185.220.101.34
  Confidence    92
  First seen    2025-11-03
  Last seen     2 hours ago
  Sessions      1,847
  Country       DE
  Protocols     SSH, HTTP, FTP

$ sikker blacklist --score-min 75 --limit 5

  IP                  SCORE   LAST SEEN       COUNTRY   PROTOCOLS
  185.220.101.34      92      2h ago          DE        SSH, HTTP
  45.148.10.174       88      5h ago          NL        SSH
  ...

$ sikker report 5.6.7.8 --category brute_force
  Report submitted successfully.

Installation

Pre-built binaries are available for Linux, macOS, and Windows on both x64 and arm64 architectures. Choose your preferred install method.

npm (recommended)

The easiest way to install. Automatically downloads the correct binary for your platform. Available on npmjs.com.

Run without installing

Use npx to run a single command without a global install.

npm (recommended)

$ npm install -g @sikkerapi/cli

Run without installing

$ npx @sikkerapi/cli check 1.2.3.4

Verify installation

$ sikker --version
sikker version 0.2.4

Authentication

All commands require an API key. Get a free key by creating an account, then save it locally.

Your key is stored at ~/.config/sikkerapi/config.json. You can also set the SIKKERAPI_KEY environment variable instead, which takes precedence over the saved config.

Check pricing for quota details on each plan. Free keys include 100 lookups, 50 reports, and 10,000 blacklist IPs per day.

Save your API key

$ sikker auth sk_free_abc123...
  API key saved.

Or use an environment variable

$ export SIKKERAPI_KEY=sk_free_abc123...
$ sikker check 1.2.3.4

Commands

sikker check <ip>

Look up an IP address against the SikkerAPI threat intelligence database. Returns confidence score, attack history, protocols, geolocation, and detected behaviors.

Flag	Description
--max-age	Maximum data age in seconds
--protocols	Comma-separated protocol filter
--fail-above	Exit code 1 if confidence ≥ value (for automation)
--json	Output raw JSON

sikker blacklist

Download a scored IP blacklist. Supports filtering by country, protocol, ASN, severity, and IP version. Use --plaintext for firewall-ready output.

Flag	Description
--score-min	Minimum confidence score (1-100, default 50)
--limit	Maximum number of IPs
--plaintext	One IP per line (for piping to firewalls)
--only-countries	Comma-separated ISO country codes to include
--protocols	Comma-separated protocol filter
--min-severity	low, medium, high, or very_high
--json	Output raw JSON

sikker report <ip>

Submit an abuse report for a single IP. Choose from 16 attack categories.

Flag	Description
--category	Attack category (required) — name or number
--protocol	Protocol (e.g. ssh, http)
--comment	Free text, max 1000 characters

sikker bulk-report <file>

Submit reports in bulk from a CSV or JSON file. Up to 10,000 reports per file (max 2MB).

sikker taxii list / get

Query TAXII 2.1 / STIX threat intelligence feeds. List STIX indicators or look up a specific IP as a STIX object.

Check an IP

$ sikker check 1.2.3.4
$ sikker check 1.2.3.4 --json
$ sikker check 1.2.3.4 --fail-above 50

Download blacklist

$ sikker blacklist --score-min 75 --limit 1000
$ sikker blacklist --plaintext > blocklist.txt
$ sikker blacklist --protocols ssh --only-countries US,CN

Report abuse

$ sikker report 5.6.7.8 \
    --category brute_force \
    --protocol ssh

Bulk report from CSV

$ sikker bulk-report reports.csv

# CSV format:
# IP,Category,Protocol,Comment
# 1.2.3.4,brute_force,ssh,Attack

TAXII feed

$ sikker taxii list --limit 100
$ sikker taxii get 1.2.3.4 --json

Automation

The CLI is designed for scripting and automation. Use --plaintext, --json, and --fail-above to integrate with your existing infrastructure.

CI/CD gate

Block deployments from known malicious sources. The --fail-above flag returns exit code 1 when the confidence score meets or exceeds your threshold.

Cron blacklist updates

Keep your firewall blocklists fresh with a cron job. The --plaintext flag outputs bare IPs, one per line.

Firewall integration

Pipe blacklist output directly to iptables or ipset. See our Fail2Ban, CSF, and Nginx integration guides for more options.

CI/CD gate — block if score >= 50

#!/bin/bash
sikker check $DEPLOY_IP --fail-above 50 \
  || { echo "Blocked: suspicious source IP"; exit 1; }

Cron — update blocklist every hour

# crontab -e
0 * * * * sikker blacklist \
  --score-min 80 \
  --plaintext > /etc/blocklist.txt

Pipe to iptables

$ sikker blacklist \
    --score-min 90 \
    --plaintext \
  | while read ip; do
      iptables -A INPUT -s $ip -j DROP
    done

ipset bulk load

$ ipset create sikker hash:ip
$ sikker blacklist \
    --score-min 75 \
    --plaintext \
  | while read ip; do
      ipset add sikker $ip
    done

Environment Variables

Environment variables override saved config values. Useful for CI/CD pipelines, Docker containers, and multi-key setups.

Variable	Description
SIKKERAPI_KEY	API key (overrides saved config)
SIKKERAPI_URL	Base URL override (default: https://api.sikkerapi.com)
NO_COLOR	Disable colored output

Open source — the CLI is MIT licensed. Install from npm or view the package details on npmjs.com.

Docker / CI example

# GitHub Actions
env:
  SIKKERAPI_KEY: ${{ secrets.SIKKERAPI_KEY }}

steps:
  - run: |
      sikker check $IP --fail-above 50

Disable color for log files

$ NO_COLOR=1 sikker blacklist \
    --score-min 80 >> /var/log/blocklist.log