nabla-cli 0.1.1

An OSS SAST/SCA API for calculating your SSCS gradients
Documentation

License: MIT

Nabla - An OSS SAST/SCA API for calculating your SSCS gradients

terminal demo

The nabla is used in vector calculus as part of three distinct differential operators: the gradient (∇), the divergence (∇⋅), and the curl (∇×)

Nabla is a binary-first, fair-source, secure API for SAST/SCA tasks — designed to analyze, monitor, and validate the binaries used in your tools, applications, or infrastructure.

Built in Rust and deployable anywhere via Docker, Nabla helps modern teams build resilient CI/CD pipelines by generating attestations, SBOMs, CVE reports, and more — all from binaries alone.

🧐 Why Nabla?

We built this tool because as ecosystems like Rust and Wasm grow, it's becoming more and more common for developers to use third-party binaries in their code and infrastructure.

This introduces risk into the software supply chain, including:

- Shadow dependencies and bundled binaries
- Missing or unverifiable SBOMs
- Unknown vulnerabilities (CVEs)
- Inability to produce attestations or verify signatures

Nabla acts like a firewall for your binary inputs — providing deep binary analysis, vulnerability detection, attestation, and SBOMs in a clean, simple API.

✨ Features

  • 🔍 Binary Analysis: ELF, PE, Mach-O, and Wasm parsing via goblin
  • 🧾 SBOM Generation: CycloneDX format generation from extracted packages
  • 🚨 CVE Lookup: Detect vulnerabilities in known packages and binary patterns
  • ✍️ Attestation: Sigstore-compatible predicate output ready for signing
  • ⛓️‍💥 Diffing: Compare two binaries and view differences in content and structure
  • ⚙️ REST API: JSON-first API built on Axum, ready for CI/CD pipelines

🔌 CLI Commands

All commands require authentication unless otherwise specified. Set your JWT token using nabla-cli auth --set-jwt <token>.

Binary Analysis

Analyze a binary file to extract metadata, packages, and generate SBOMs.

nabla-cli binary analyze <FILE>

Example:

nabla-cli binary analyze ./my_binary

REST equivalent: POST /binary/analyze

Binary Comparison

Compare two binaries to identify differences in packages, symbols, and metadata.

nabla-cli diff <FILE1> <FILE2>

Example:

nabla-cli diff old_binary new_binary

REST equivalent: POST /binary/diff

Generate Attestations

Create Sigstore-compatible attestations for binaries with cryptographic signing.

nabla-cli binary attest --signing-key <SIGNING_KEY> <FILE>

Example:

nabla-cli binary attest --signing-key my_signing_key ./my_binary

REST equivalent: POST /binary/attest

CVE Scanning

Scan binaries for known vulnerabilities in detected packages.

nabla-cli binary check-cves <FILE>

Example:

nabla-cli binary check-cves ./my_binary

REST equivalent: POST /binary/check-cves

AI-Powered Analysis

Generate SBOMs and perform AI-powered binary analysis through natural language.

nabla-cli chat <MESSAGE>

Example:

nabla-cli chat "Generate a CycloneDX SBOM for this binary"

REST equivalent: POST /binary/chat

Authentication & Configuration

Authentication

Set your JWT token for API access:

nabla-cli auth --set-jwt <JWT_TOKEN>

Check authentication status:

nabla-cli auth status

Upgrade authentication:

nabla-cli auth upgrade

Configuration Management

View all configuration settings:

nabla-cli config list

Get a specific configuration value:

nabla-cli config get <KEY>

Set a configuration value:

nabla-cli config set <KEY> <VALUE>

Set the base URL for the API:

nabla-cli config set-base-url <URL>

Server Mode

Run Nabla in server mode (legacy):

nabla-cli --server --port 8080

Or using the server subcommand:

nabla-cli server

Setup

Prerequisites

  • Rust 1.82+
  • A Nabla License Key

Environment Variables

Copy .env.example to .env and configure:

PORT=8080
FIPS_MODE=false          # Enable FIPS 140-2 compliance
FIPS_VALIDATION=false    # Enable FIPS validation checks

Getting Started

Clone the repo:

git clone https://github.com/jdbohrman/nabla.git
cd nabla

Setup your environment:

cp .env.example .env

Edit .env:

PORT=8080
FIPS_MODE=false
FIPS_VALIDATION=false

Run locally:

cargo run

Or with Docker:

# Standard mode
docker build -t nabla .
docker run -p 8080:8080 -e FIPS_MODE=false nabla

# FIPS mode
docker build -t nabla-enterprise --build-arg FIPS_MODE=true --build-arg FIPS_VALIDATION=true .
docker run -p 8080:8080 -e FIPS_MODE=true -e FIPS_VALIDATION=true nabla-enterprise

FIPS 140-2 Compliance

Nabla supports FIPS 140-2 compliance mode for enterprise deployments:

FIPS Mode Features

  • FIPS 140-2 Approved Algorithms: SHA-256, SHA-512, HMAC-SHA256, AES-256-GCM
  • FIPS Validation: Runtime validation of cryptographic operations
  • Compliance Reporting: Health check endpoint reports detailed FIPS status
  • Enterprise Ready: FedRAMP, SOC 2, and HIPAA compliant
  • FIPS-Compliant TLS: Uses only FIPS-approved cipher suites
  • FIPS-Compliant RNG: Uses operating system secure random number generation
  • JWT/HMAC Compliance: Uses FIPS-approved HMAC-SHA256 for token validation

Environment Variables

FIPS_MODE=true           # Enable FIPS 140-2 compliance
FIPS_VALIDATION=true     # Enable FIPS validation checks

Health Check Response (FIPS Mode)

{
  "status": "healthy",
  "service": "Nabla",
  "version": "0.1.0",
  "fips": {
    "fips_mode": true,
    "fips_compliant": true,
    "fips_validation": true,
    "approved_algorithms": [
      "SHA-256",
      "SHA-512",
      "HMAC-SHA256",
      "AES-256-GCM",
      "TLS13_AES_256_GCM_SHA384"
    ],
    "hash_algorithm": "SHA-512",
    "random_generator": "FIPS-compliant OS RNG"
  }
}

Health Check Response (Standard Mode)

{
  "status": "healthy",
  "service": "Nabla",
  "version": "0.1.0",
  "fips": {
    "fips_mode": false,
    "fips_compliant": false,
    "fips_validation": false,
    "hash_algorithm": "Blake3",
    "random_generator": "Standard RNG"
  }
}

FIPS Implementation Details

Cryptographic Algorithms

  • Hashing: SHA-256, SHA-512 (FIPS mode) vs Blake3 (standard mode)
  • HMAC: HMAC-SHA256 for JWT token validation
  • Random Generation: OS secure RNG (FIPS) vs standard RNG (standard)
  • TLS Cipher Suites: FIPS-approved suites only in FIPS mode

Binary Analysis

  • Hash Generation: Uses configurable crypto provider
  • Metadata: Includes FIPS status and algorithm information
  • Consistency: All cryptographic operations respect FIPS mode

HTTP Client

  • TLS Configuration: FIPS-compliant cipher suites when enabled
  • Certificate Validation: Enhanced security in FIPS mode
  • Connection Security: Uses rustls with FIPS-approved settings

Docker Deployment

# Standard deployment
docker run -e FIPS_MODE=false nabla:latest

# FIPS-compliant deployment
docker run -e FIPS_MODE=true -e FIPS_VALIDATION=true nabla-enterprise:latest

Compliance Certifications

  • FIPS 140-2 Level 1: Cryptographic module compliance
  • FedRAMP: Federal Risk and Authorization Management Program
  • SOC 2 Type II: Security, availability, and confidentiality
  • HIPAA: Health Insurance Portability and Accountability Act

License

This project is licensed under the Functional Source License - see the LICENSE file for details.

Want a license key? Chat up the Atelier Logos team and get a 14-day trial