CLI reference Every digger sub-command, in one place.

Global flags

FlagPurpose
--no-bannerSuppress the ASCII banner. Use in scripts/CI.
--fips-modeEnter FIPS 140-3 restricted mode. Runs KAT self-tests; refuses non-approved algorithms.
--classification <label>Classification marking (default UNCLASSIFIED) — written to the case metadata and chain of custody.
--tlp <level>Default TLP marking. One of TLP:CLEAR, TLP:GREEN, TLP:AMBER, TLP:AMBER+STRICT, TLP:RED.
--versionPrint version and exit.

collect

digger collect --case-dir DIR [--only NAMES] [--no-admin]

Run platform-appropriate collectors. Writes a fresh case directory if one doesn't exist, or appends to an existing one (with chain continuity).

--case-dir
Output directory. Created if missing.
--only NAMES
Comma-separated collector names. Run digger collect --case-dir x --only system to inventory the collector roster.
--no-admin
Skip every collector marked requires_admin.

scan

digger scan --case-dir DIR [--only NAMES]

Run the detection stack against an already-collected case directory. Detectors are read-only over artifacts but write Findings.

triage

digger triage --case-dir DIR
              [--llm-base-url URL] [--llm-model NAME] [--llm-api-key KEY]
              [--skip-below LEVEL] [--only DETECTORS] [--max N]
              [--no-case-summary] [--force]

AI-triage findings via a local OpenAI-compatible LLM. Writes triage JSON into each finding and a case-wide summary into case metadata.

--llm-base-url
Defaults to http://127.0.0.1:8080/v1 (llama.cpp default).
--llm-model
Defaults to GLM-4.6. Anything your server has loaded works.
--skip-below
Skip findings below this severity. Default low — skips info-level findings (the timeline).
--max N
Triage at most N findings, for quick iteration.
--force
Continue even if the LLM health check fails.

report

digger report --case-dir DIR --format html|md|json [--out PATH]

Render a self-contained report from the case directory.

investigate

digger investigate --case-dir DIR [--report PATH] [--report-format html|md|json]
                   [--no-triage] [collect/triage flags…]

One-shot collect + scan + triage + report.

verify

digger verify --case-dir DIR

Recompute every content hash and chain hash in the evidence DB. Exits non-zero if any check fails. See evidence store.

intel

digger intel update [--only FEEDS] [--force] [--sign-key PATH] [--sign-alg ALG]
digger intel status
digger intel watch [--force-first]
digger intel sign --key PATH [--algorithm ALG] [--target DIR] [--note TEXT]
digger intel verify [--target DIR]
update
Refresh feeds whose interval has elapsed. --force bypasses interval; --only limits to specified feeds. --sign-key auto-signs the cache (PQC ML-DSA-65 by default) after fetch; also reads $DIGGER_INTEL_SIGN_KEY.
status
List feeds with last-fetched age + staleness flag, plus the integrity-signature state (signed / unsigned / re-check needed).
watch
Run a foreground scheduler that polls feeds on their per-feed cadence indefinitely.
sign
PQC-sign the current intel cache directory (defense-in-depth against on-disk tampering of fetched feeds).
verify
Verify the PQC signature against the current intel cache. Returns the dual SHA-256 + SHA3-256 tree-hash roots and file count.

See live feeds for the full feed list. The load_intel helper used by detectors also performs a once-per-process signature verification; DIGGER_INTEL_STRICT=1 makes it refuse unsigned / tampered caches, DIGGER_INTEL_NO_VERIFY=1 silences it.

firewall

digger firewall audit --case-dir DIR [--show-remedy] [--verbose]
audit
Run the firewall auditor over collected pf / nftables / iptables / ufw / firewalld / WFP artifacts. --show-remedy prints the exact platform-specific fix commands (with [DESTRUCTIVE] annotations); --verbose includes the full finding summary. digger NEVER auto-applies; the operator copy-pastes. See Firewall audit + remediation.

pqc

digger pqc sign --case-dir DIR [--algorithm ALG] [--key PATH] [--note TEXT]
digger pqc verify --case-dir DIR [--signature PATH]
digger pqc info [--mode fips|round4|onramp|all]
sign
Sign the evidence chain tip. Default algorithm ML-DSA-65. Auto-generates the keypair if --key doesn't exist.
verify
Verify a previously-written case_signature.json.
info
Show available PQC algorithms and which expected ones are missing.

fips

digger fips status
digger fips enable [--force]
status
Show current process state, KAT results, detected OS FIPS marker.
enable
Run KATs and enter FIPS mode. Fails if KAT fails unless --force.

The global --fips-mode flag is the easier way to opt in for a single invocation; fips enable is useful when scripting.

compliance

digger compliance list
digger compliance assess --case-dir DIR
       [--frameworks NAMES] [--format html|md|json|all] [--out-dir DIR]

List loadable frameworks or assess a case against them. Reports land under <case>/compliance/ by default. See compliance frameworks.

export

digger export stix             --case-dir DIR [--out PATH] [--tlp LEVEL]
digger export misp             --case-dir DIR [--out PATH] [--tlp LEVEL]
digger export attack-navigator --case-dir DIR [--out PATH]
digger export taxii            --case-dir DIR
       --base-url URL --api-root ROOT --collection ID
       [--username U] [--password P] [--token T] [--tlp LEVEL]

STIX 2.1 bundle, MISP event, MITRE ATT&CK Navigator layer, or push a STIX bundle to a TAXII 2.1 server. See exchange formats.

generate

digger generate sigma --case-dir DIR [--finding UUID] [--out-dir DIR]
digger generate sigma --from-detectors    [--out-dir DIR]   # no case needed
sigma (per-finding)
Walk the case's findings and emit one Sigma .yml per finding that has a registered generator. Default out-dir: <case>/sigma-out/.
sigma --from-detectors
Emit one generic Sigma rule per detector that implements to_sigma_template() — independent of any case. Default out-dir: out/sigma/. Useful when you want the SIEM-deployable detection logic without needing to run a case first. See Generate Sigma from findings.

sigma

digger sigma --case-dir DIR [--dirs PATH1,PATH2]

Run Sigma rules against the evidence. Default rule directories now include both digger/rules/sigma/ AND the live SigmaHQ corpus cached by the sigmahq_corpus feed (when populated). Pass --dirs to add others.

loki

digger loki update [--target DIR]
digger loki status
digger loki scan --case-dir DIR

Clone/pull Florian Roth's signature-base, show what's loaded, and run the LOKI-style detector. See LOKI / signature-base.

hunt

digger hunt list [--tag TAG] [-v]
digger hunt run --case-dir DIR [--hunt IDS] [--tag TAG] [--severity LEVEL]
       [--out PATH] [--format html|md|json] [-v]

Threat-hunting query library — exploratory tabular queries against the evidence store. See Threat hunting.

diff

digger diff --base BASE_CASE_DIR --new NEW_CASE_DIR
       [--out PATH] [--format html|md|json]

Compare two case directories. Reports added / removed / modified artifacts per collector, plus new / resolved / persisted / modified findings. Identity matching ignores volatile fields (pid, ephemeral ports, create time) so a re-spawned process doesn't show as new. See Case diff.

Environment variables

VariableEffect
DIGGER_FIPS_MODEIf set to 1/true/yes, enter FIPS mode automatically.
DIGGER_INTEL_DIROverride the intel cache location (default ~/.cache/digger/intel).
DIGGER_LLM_BASE_URLDefault base URL for AI triage.
DIGGER_LLM_MODELDefault model.
DIGGER_LLM_API_KEYAPI key (most local servers ignore this).
DIGGER_LLM_TEMPERATURESampling temperature (default 0.2).
DIGGER_LLM_MAX_TOKENSMax tokens in triage responses.
DIGGER_LLM_TIMEOUTHTTP timeout (seconds) per triage call.
DIGGER_TAXII_PASSWORDFallback for --password.
DIGGER_TAXII_TOKENFallback for --token.
DIGGER_SHAI_HULUD_URLOverride the Shai-Hulud package list URL.
GITHUB_TOKENUsed for GitHub Advisory feed if set.