brink.
platform

The CLI.

For scripted onboarding, CI integration, and tailing findings from your terminal. Same auth, same scope rules, same audit trail as the dashboard.

Install

The CLI is published as @brink/cli on npm and as a single-binary release on GitHub. Pick whichever fits your toolchain.

bash# npm
npm i -g @brink/cli

# or grab the static binary
curl -fsSL https://brink.security/install.sh | sh

# verify
brink --version
# brink 0.41.2 (built 2026-05-22)

Auth

The CLI authenticates with a personal access token issued from settings/api-keys. PATs are scoped: the default scope is read-only, with write scopes opt-in per token. Tokens persist in your OS keychain via brink auth login.

bashbrink auth login                # interactive prompt
brink auth login --token brk_pat_…  # non-interactive, e.g. CI

brink auth whoami
# rae@acme.dev · owner · org=acme · pat=brk_pat_a13e (expires in 89 days)
tokens are tenant-scoped
A PAT only works against the org it was issued in. Switching orgs requires re-issuing. Service tokens (intended for CI) cannot be issued under the * scope.

Commands

Projects

bashbrink project list
brink project create \
  --slug acme-api \
  --name "acme api" \
  --base-url https://api.staging.acme.dev \
  --env staging
brink project archive --slug acme-api

Scope

bashbrink scope get --project acme-api
brink scope apply --project acme-api --file ./scope.yaml
brink scope account add \
  --project acme-api \
  --label tenant-a \
  --token-file ./fixtures/tenant-a.bearer

Runs

bashbrink run start --project acme-api \
  --agents idor,auth-bypass,ssrf \
  --wall-clock 15m --tokens 200000

brink run list --project acme-api --limit 20
brink run cancel <run-id>

Findings

bash# tail confirmed findings as they land
brink findings tail --project acme-api --severity high+

# pull one
brink findings get BRK-2417 --format json
brink findings get BRK-2417 --format repro    # prints just the curl
brink findings repro BRK-2417                  # runs the repro for you

CI integration

Most teams wire brink into CI two ways: (1) fail the build if a critical-or-high finding is unfixed before merge, (2) post a PR comment with new findings introduced by the diff. Both are one-liners against the CLI.

.github/workflows/brink.yml- name: brink gate
  run: |
    brink auth login --token ${{ secrets.BRINK_TOKEN }}
    brink findings gate \
      --project acme-api \
      --severity high+ \
      --max-age 7d

Exit codes

  • 0 — success
  • 1 — runtime error (network, auth, parse)
  • 2 — gate failed: findings matched the gate predicate
  • 3 — permission denied: token lacks scope
  • 4 — budget exceeded: server-side rate or quota