{"id":50545034,"url":"https://github.com/byfranke/sheep-analyze-cli","last_synced_at":"2026-06-03T23:01:31.761Z","repository":{"id":337536956,"uuid":"1154080422","full_name":"byfranke/sheep-analyze-cli","owner":"byfranke","description":"Analyze IPs, domains, hashes, and URLs against multiple intelligence sources. Automatic detection of threat type, threat level, and recommendations.","archived":false,"fork":false,"pushed_at":"2026-05-29T02:40:21.000Z","size":246,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-29T04:21:19.653Z","etag":null,"topics":["cybersecurity","ioc","theat-intel"],"latest_commit_sha":null,"homepage":"https://sheep.byfranke.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/byfranke.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-10T01:48:35.000Z","updated_at":"2026-05-29T02:40:25.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/byfranke/sheep-analyze-cli","commit_stats":null,"previous_names":["byfranke/analyze-cli","byfranke/sheep-analyze-cli"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/byfranke/sheep-analyze-cli","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/byfranke%2Fsheep-analyze-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/byfranke%2Fsheep-analyze-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/byfranke%2Fsheep-analyze-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/byfranke%2Fsheep-analyze-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/byfranke","download_url":"https://codeload.github.com/byfranke/sheep-analyze-cli/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/byfranke%2Fsheep-analyze-cli/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33883102,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-03T02:00:06.370Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","ioc","theat-intel"],"created_at":"2026-06-03T23:01:30.915Z","updated_at":"2026-06-03T23:01:31.755Z","avatar_url":"https://github.com/byfranke.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sheep Analyze CLI\n\nCommand-line client for the Sheep API focused on Indicator of Compromise (IOC) analysis: IPs, domains, file hashes, URLs and CVEs. Each request is enriched with threat intelligence and answered by a Sheep AI model with both a human-readable narrative and a SOAR-friendly structured payload.\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.youtube.com/watch?v=-NZARpdcJKk\"\u003e\n    \u003cimg src=\"https://img.youtube.com/vi/-NZARpdcJKk/maxresdefault.jpg\" alt=\"Sheep Analyze CLI — quick summary\" width=\"600\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eIOC analysis from your terminal, powered by the Sheep API.\u003c/strong\u003e\u003cbr\u003e\n  Version 2.2.0 | byFranke 2026\n\u003c/p\u003e\n\n---\n\n\u003cimg width=\"2127\" height=\"723\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fd784e35-ada8-41e7-95ae-66363ed2515b\" /\u003e\n\n---\n\n**More:** [Analyze Web](https://byfranke.com/pages/analyze.html) | [Sheep Docs](https://github.com/byfranke/sheep)\n\n## Installation\n\n### Prerequisites\n\n- Python 3.7 or higher\n- pip\n\n### Quick install\n\n```bash\ncurl -fsSL https://byfranke.com/analyze-cli-install | bash\n```\n\n### Install from source\n\n```bash\ngit clone https://github.com/byfranke/sheep-analyze-cli\ncd sheep-analyze-cli\nchmod +x analyze-cli.py setup.py install.sh\nbash install.sh\npython3 setup.py\n```\n\nThe installer creates two symlinks: `analyze` (canonical) and `analyze-cli` (legacy alias kept for backwards compatibility). Use whichever you prefer — every example below uses `analyze`.\n\n## Configuration\n\n### Encrypted setup (recommended)\n\n```bash\npython3 setup.py\n```\n\nThe wizard will:\n- Ask for your [API token](https://sheep.byfranke.com/pages/store)\n- Set a master password for encryption\n- Store the encrypted token at `~/.analyze/config.ini`\n- Cache the decrypted token in `/tmp` (mode `0600`, scoped to the current shell session) so you only type the master password once per terminal\n\n### One-shot\n\n```bash\nanalyze --token \"YOUR_TOKEN\" 185.220.101.45\n```\n\nOr via environment variable:\n\n```bash\nexport SHEEP_API_TOKEN=\"YOUR_TOKEN\"\nanalyze 185.220.101.45\n```\n\nThe legacy variable `ANALYZE_API_TOKEN` is still accepted with a deprecation warning and will be removed in a future release. `SHEEP_API_TOKEN` is the same variable used by every other Sheep CLI.\n\n**Storage:** the token is encrypted using PBKDF2-SHA256 (600,000 iterations) with a per-install random salt and Fernet (AES-128 + HMAC-SHA256).\n\n**Upgrading from analyze-cli 1.2:** the new config dir is `~/.analyze/`. The CLI keeps reading `~/.analyze-cli/config.ini` if it exists, so you can upgrade without re-running setup. Re-run `python3 setup.py` whenever you want to migrate.\n\n## Usage\n\n### Basic\n\n```bash\nanalyze 185.220.101.45                  # IP (auto-detected)\nanalyze example.com                     # Domain\nanalyze d41d8cd98f00b204e9800998ecf8427e  # MD5 hash\nanalyze https://suspicious-site.com/m   # URL\nanalyze CVE-2021-44228                  # CVE\n```\n\n### Which Sheep model is used\n\nEvery `/analyze` call is served by the **Sheep Hunter** model. The CLI does not expose a model selector here — analysis is opinionated by design so latency, depth and billing stay consistent across calls. If you need the lighter Scout model or the heavier Sage model, use the `/ask` surface (see [Sheep Ask CLI](https://github.com/byfranke/sheep-ask-cli)) where the model selector is exposed.\n\n### Output formats\n\n```bash\nanalyze 8.8.8.8                  # Pretty (default)\nanalyze 8.8.8.8 --output json    # JSON, for automation / SOAR\nanalyze 8.8.8.8 --output table   # Tabular summary\nanalyze 8.8.8.8 --output stix    # STIX 2.1 Bundle (MISP / OpenCTI / TheHive)\n```\n\nThe pretty output shows the verdict, confidence, the Sheep model that served the request, an executive summary, key findings, extracted IoCs, MITRE ATT\u0026CK techniques, recommendations and references.\n\n### STIX 2.1 interop\n\n`--output stix` emits a STIX 2.1 Bundle (OASIS spec) on stdout, ready to feed into any tool that speaks STIX: MISP, OpenCTI, TheHive, Cortex Analyzers, ThreatConnect, Anomali, or your own TAXII collection. The mapping is:\n\n- **Identity** SDO — names the producer (\"Sheep AI\").\n- **Indicator** SDO — one per IOC, with a real STIX pattern (`[ipv4-addr:value = '…']`, `[domain-name:value = '…']`, `[file:hashes.'SHA-256' = '…']`, `[url:value = '…']`).\n- **Vulnerability** SDO — for CVE targets, with `external_references` to NVD.\n- **AttackPattern** SDO — one per MITRE ATT\u0026CK technique, with `external_references` to the ATT\u0026CK registry.\n- **Relationship** SDO — wires secondary IOCs and ATT\u0026CK techniques back to the primary indicator (`related-to`).\n- **Note** SDO — recommended actions, attached to the primary indicator.\n- Verdict (`malicious` / `suspicious` / `benign` / `inconclusive`) is rendered as the STIX `indicator-type-ov` label.\n- Confidence (0–100) propagates to the Indicator / Vulnerability `confidence` field.\n\nQuick pipe-to-file example:\n\n```bash\nanalyze 8.8.8.8 --output stix \u003e ioc.json\n# Push to MISP via misp-stix-converter, OpenCTI via its STIX2 connector,\n# TheHive 5 via Cortex, or any TAXII 2.1 server with curl.\n```\n\nThe bundle is built server-side by the Sheep API (`?format=stix` query parameter on `/api/ai/analyze`) and streamed back over the same call. The CLI has no STIX dependency to install — Sheep is the single source of truth for the format, and every customer always gets the same canonical mapping.\n\n### Plan and quota\n\n```bash\nanalyze plan\n```\n\nShows your plan name, status, period end, the models your plan allows, and the current token usage / remaining budget.\n\n### Session management\n\n```bash\nanalyze --logout\n```\n\nClears the cached decrypted token for the current terminal only. The next call will prompt for the master password again.\n\n### Maintenance\n\n```bash\nanalyze --help        # Show help\nanalyze --version     # Show version\nanalyze --setup       # Re-run the interactive setup wizard\nanalyze --update      # Pull the latest version from GitHub\n```\n\n## Common errors\n\n1. **API token missing** — Configure your token with `python3 setup.py`, the `--token` flag or the `SHEEP_API_TOKEN` env var. New tokens at https://sheep.byfranke.com/pages/store.\n\n2. **HTTP 401 — Authentication failed** — Token missing, expired or revoked. Re-run `python3 setup.py` with a fresh token.\n\n3. **HTTP 403 — Plan does not cover this request** — Upgrade at https://sheep.byfranke.com/pages/store.\n\n4. **HTTP 429 — Rate limit exceeded** — Wait a minute. If it happens often, upgrade your plan.\n\n5. **Connection error** — Check your internet connection.\n\n6. **Invalid IOC type** — Make sure the IOC format is correct, or let the auto-detector handle it.\n\n## Contributing\n\n1. Fork the repository\n2. Create a feature branch\n3. Make your changes\n4. Run tests\n5. Submit a pull request\n\n## Security considerations\n\n- **Never commit your API token** to version control.\n- Store tokens securely with the setup wizard (encrypted) or `SHEEP_API_TOKEN`.\n- Keep restrictive permissions on the config file:\n  ```bash\n  chmod 600 ~/.analyze/config.ini\n  ```\n- The session token cache lives at `/tmp/analyze-cli-sess-\u003cuid\u003e-\u003csid\u003e` with mode `0600`, scoped to your current shell session. Run `analyze --logout` to clear it early.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbyfranke%2Fsheep-analyze-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbyfranke%2Fsheep-analyze-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbyfranke%2Fsheep-analyze-cli/lists"}