Reference
CLI Reference
Complete command-line reference for the Bleep headless proxy
On this page
Overview
The Bleep CLI is a headless Linux proxy that uses the same detection engine, policy evaluation, and CA infrastructure as the desktop app. It runs as a background daemon and is designed for environments where a GUI is unavailable or unnecessary.
Use the CLI when deploying Bleep on:
- Linux servers (bare metal or VM)
- Docker containers
- CI/CD runners (GitHub Actions, GitLab CI, Jenkins)
- Headless development environments
- Cloud workstations and remote machines
Two binaries
| Binary | Plan | Description |
|---|---|---|
| bleep | Individual | Standalone proxy with local policies and storage |
| bleep-enterprise | Team / Enterprise | Managed proxy that enrolls with an admin server for centralized policies and reporting |
Installation
Individual (curl)
Install directly from the command line — no browser needed. The exact URL with the latest version is shown on your downloads page under the Linux card.
# The URL follows this pattern (get exact URL from bleep-it.com/dashboard/downloads):
curl -fsSL -o /usr/local/bin/bleep \
"https://vlhkdtkmpbaqtvayrban.supabase.co/storage/v1/object/public/downloads/individual/VERSION/bleep-individual-linux-cli-VERSION"
chmod +x /usr/local/bin/bleep
# Verify
bleep --versionReplace VERSION with the latest version number, or copy the ready-to-use curl command from your downloads page.
Enterprise (curl)
For managed fleets, use the deployment script from your admin dashboard (Mass Deploy → Linux CLI), or install manually:
# Option 1: One-line install via curl (get exact URL from downloads page)
curl -fsSL -o /usr/local/bin/bleep-enterprise \
"https://vlhkdtkmpbaqtvayrban.supabase.co/storage/v1/object/public/downloads/VERSION/bleep-enterprise-linux-cli-VERSION"
chmod +x /usr/local/bin/bleep-enterprise
# Option 2: Admin dashboard deployment script (recommended for fleets)
# Go to Mass Deploy → Linux (CLI) tab → copy and run the generated script
# It downloads the binary, enrolls the device, installs the CA cert, and
# creates a systemd service — all in one step.
# Verify
bleep-enterprise --versionThe deployment script from the admin dashboard handles everything: downloading the binary, enrolling with the server, installing the CA certificate, creating a systemd service, and starting protection. Use it for deploying to multiple servers at once.
Quick Start
Individual
Start the proxy with your license key:
BLEEP_LICENSE_KEY=LIC-XXXX-XXXX-XXXX-XXXX bleep upThe up command starts the proxy daemon and auto-configures git, npm, VS Code, and Firefox to route AI traffic through Bleep.
Enterprise
Enroll with your admin server, then start the proxy:
# Enroll this device (one-time)
bleep-enterprise enroll --server http://admin-server:8081 --token YOUR_ENROLLMENT_TOKEN
# Start the proxy
bleep-enterprise upAfter enrollment, the device syncs policies, domain lists, and configuration from the admin server automatically. Violations are reported back to the admin dashboard.
Global Options
These options apply to all commands. They can also be set via environment variables or a YAML config file.
| Option | Default | Description |
|---|---|---|
| -c, --config PATH | — | Path to YAML config file |
| -m, --mode MODE | warning | Operating mode: warning or enforcing |
| -p, --port PORT | 8080 | Proxy listen port |
| -w, --web-port PORT | 8081 | Web dashboard / API port |
| -b, --bind HOST | 127.0.0.1 | Bind address (0.0.0.0 for all interfaces) |
| -l, --license-key KEY | — | License key (env: BLEEP_LICENSE_KEY) |
| --data-dir PATH | ~/.local/share/bleep | Data directory (SQLite database, CA, logs) |
| -v, --verbose | — | Enable debug logging |
| --no-system-proxy | — | Don't configure system proxy (use for Docker) |
| --log-file PATH | — | Write logs to file instead of stdout |
| --json-events | — | Output violations as JSON lines (for SIEM integration) |
Commands Reference
start
Start the proxy daemon. Listens for AI traffic and applies detection policies. Does not configure any applications — use up for auto-configuration.
bleep start
bleep start --port 9090 --mode warning
bleep start --bind 0.0.0.0 --log-file /var/log/bleep.logThe daemon runs in the foreground by default. Use a systemd service or & to background it.
up
Start the proxy and auto-configure common applications to route AI traffic through Bleep. This is the recommended way to start Bleep on developer machines.
bleep up
bleep up --mode warning
BLEEP_LICENSE_KEY=LIC-XXXX bleep upConfigures git, npm, VS Code, and Firefox automatically. Equivalent to running start followed by configure-apps.
down
Stop a running proxy daemon and unconfigure applications.
bleep downstatus
Show proxy status including running state, license info, CA certificate trust status, violation counts, and configured applications.
bleep status
bleep status --jsonUse --json for machine-readable output. See the Status Output section for a full example.
policy list
List all detection policies with their ID, name, action, severity, and enabled state.
bleep policy list
bleep policy list --jsonpolicy add
Add a new detection policy. Policies determine what action to take when a pattern is detected.
bleep policy add --name "Block AWS keys" --action block --severity critical
bleep policy add --name "Warn on emails" --action warn --severity medium --tags pii
bleep policy add --name "Redact SSNs" --action redact --severity high --destinations "ai_chatbots,ai_coding"| Flag | Required | Description |
|---|---|---|
| --name | Yes | Policy name |
| --action | Yes | log, warn, redact, or block |
| --severity | No | MEDIUM, HIGH, or CRITICAL |
| --tags | No | Comma-separated tags (e.g., pii,secrets) |
| --destinations | No | Comma-separated destination category IDs to apply to (default: all) |
policy remove
Remove a policy by ID.
bleep policy remove block_criticalpolicy toggle
Enable or disable a policy by ID without deleting it.
bleep policy toggle redact_highblocklist add
Add an item to the encrypted blocklist. Blocklist values are stored encrypted at rest and never displayed in plaintext.
bleep blocklist add --label "Production DB password" --value "s3cr3t!" --category password --severity CRITICAL
bleep blocklist add --label "Internal project name" --value "Project Falcon" --category custom| Flag | Required | Description |
|---|---|---|
| --label | Yes | Human-readable label for the item |
| --value | Yes | Secret value to detect (stored encrypted) |
| --category | No | Category (e.g., password, custom, pii) |
| --severity | No | MEDIUM, HIGH, or CRITICAL |
blocklist list
List all blocklist items. Shows labels and categories but never reveals the actual values.
bleep blocklist list
bleep blocklist list --jsonblocklist remove
Remove a blocklist item by ID.
bleep blocklist remove a1b2c3d4-...blocklist toggle
Enable or disable a blocklist item by ID.
bleep blocklist toggle a1b2c3d4-...patterns
List all built-in and custom detection patterns. Shows pattern name, category, and enabled state.
bleep patternsstats
Show violation statistics: counts by severity, by pattern, by destination, and over time.
bleep statsscan
Test-scan a string against all detection patterns without sending it through the proxy. Useful for testing policies and patterns.
bleep scan "My AWS key is AKIAIOSFODNN7EXAMPLE"
bleep scan "Call me at 555-123-4567, my SSN is 123-45-6789"Returns all matches with pattern name, severity, and the matched substring.
ca info
Show CA certificate details: subject, fingerprint, expiry, and whether it is trusted by the system.
bleep ca infoca export
Export the CA certificate to a PEM file. Useful for distributing the CA to other machines or adding to custom trust stores.
bleep ca export --output /tmp/bleep-ca.pemca trust
Install the Bleep CA certificate into the system trust store. Requires root/sudo.
sudo bleep ca trustca untrust
Remove the Bleep CA certificate from the system trust store. Requires root/sudo.
sudo bleep ca untrustenv
Print environment variables for proxy configuration. Use with eval to apply in the current shell.
# Apply proxy env vars to current shell
eval $(bleep env)
# Write a persistent drop-in file for all users
sudo bleep env --install
# Creates /etc/profile.d/bleep-proxy.sh
# Remove the drop-in file
sudo bleep env --uninstallThe --install flag writes /etc/profile.d/bleep-proxy.sh so proxy variables are set for all login shells automatically.
configure-apps
Configure applications to route traffic through the Bleep proxy. Sets proxy settings for git, npm, VS Code, and Firefox.
bleep configure-appsunconfigure-apps
Remove Bleep proxy configuration from all configured applications, restoring their original settings.
bleep unconfigure-appsdiag
Generate a diagnostic report for troubleshooting. Collects proxy status, configuration, CA info, recent logs, and system information into a plain text file.
bleep diag
bleep diag -o /tmp/bleep-diag.txtThe diagnostic bundle never includes sensitive data (blocklist values, license keys, or violation content). Send it to support when reporting issues.
Enterprise-Only Commands
These commands are only available in the bleep-enterprise binary.
enroll
Enroll this device with a Bleep admin server. After enrollment, the device syncs policies, domain lists, and settings from the server. Violations are reported back to the admin dashboard.
bleep-enterprise enroll --server http://admin-server:8081 --token YOUR_ENROLLMENT_TOKEN| Flag | Required | Description |
|---|---|---|
| --server URL | Yes | Admin server URL (e.g., http://192.168.1.50:8081) |
| --token TOKEN | Yes | Enrollment token from the admin dashboard |
Enrollment is a one-time operation. The device stores the server URL and credentials locally. After enrollment, run bleep-enterprise up to start the proxy.
unenroll
Remove enrollment from this device. Stops syncing with the admin server and clears server credentials. The proxy will stop reporting violations.
bleep-enterprise unenrollSystemd Service
Run Bleep as a systemd service for automatic startup and process management.
Service file
Create /etc/systemd/system/bleep.service (Individual) or /etc/systemd/system/bleep-enterprise.service:
[Unit]
Description=Bleep AI Data Loss Prevention Proxy
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/bleep start --no-system-proxy
Environment=BLEEP_LICENSE_KEY=LIC-XXXX-XXXX-XXXX-XXXX
Environment=BLEEP_MODE=warning
Environment=BLEEP_PROXY_PORT=8080
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.targetInstallation
# Copy the service file
sudo cp bleep.service /etc/systemd/system/
# Enable and start
sudo systemctl daemon-reload
sudo systemctl enable --now bleep
# Check status
sudo systemctl status bleep
# View logs
journalctl -u bleep -fFor Enterprise deployments, replace bleep with bleep-enterprise in the service file. Add Environment=BLEEP_SERVER_URL=http://admin:8081 if not already enrolled.
Docker Usage
Run Bleep in a Docker container for isolated deployments. Always use --no-system-proxy inside containers since there is no system proxy to configure.
Dockerfile
There is no pre-built Docker image. Build your own using the Dockerfile below, then run it:
FROM ubuntu:24.04
COPY bleep /usr/local/bin/bleep
RUN chmod +x /usr/local/bin/bleep && \
bleep ca trust
EXPOSE 8080 18080
VOLUME /data
ENTRYPOINT ["bleep", "start", "--no-system-proxy", "--bind", "0.0.0.0"]Build and run
# Build the image (place the bleep binary in the same directory as the Dockerfile)
docker build -t bleep-proxy .
# Run it
docker run -d \
--name bleep \
-p 8080:8080 \
-p 18080:18080 \
-e BLEEP_LICENSE_KEY=LIC-XXXX-XXXX-XXXX-XXXX \
-e BLEEP_MODE=warning \
-v bleep-data:/data \
bleep-proxySidecar pattern
Run Bleep as a sidecar next to your application. Point the application at the Bleep proxy:
# In your application container, set proxy env vars:
HTTP_PROXY=http://bleep:8080
HTTPS_PROXY=http://bleep:8080
# Or use the PAC file:
# http://bleep:18080/proxy.pacEnvironment Variables
All CLI options can be set via environment variables. Environment variables take precedence over the config file but are overridden by explicit CLI flags.
| Variable | Default | Description |
|---|---|---|
| BLEEP_LICENSE_KEY | — | License key (required) |
| BLEEP_MODE | warning | Operating mode: warning or enforcing |
| BLEEP_PROXY_PORT | 8080 | Proxy listen port |
| BLEEP_PAC_PORT | 18080 | PAC file server port |
| BLEEP_BIND_HOST | 127.0.0.1 | Bind address (0.0.0.0 for all interfaces) |
| BLEEP_SERVER_URL | — | Admin server URL (Enterprise only) |
Precedence order (highest to lowest): CLI flags → environment variables → config file → defaults.
Examples
Protect a CI/CD runner
Add Bleep to your CI pipeline to prevent secrets from leaking through AI-assisted coding tools:
# GitHub Actions example
- name: Install Bleep
run: |
# Get the exact URL from bleep-it.com/dashboard/downloads
curl -fsSL -o bleep \
"https://vlhkdtkmpbaqtvayrban.supabase.co/storage/v1/object/public/downloads/individual/VERSION/bleep-individual-linux-cli-VERSION"
chmod +x bleep
sudo mv bleep /usr/local/bin/
sudo bleep ca trust
- name: Start Bleep proxy
run: |
bleep start --no-system-proxy --mode enforcing &
eval $(bleep env)
env:
BLEEP_LICENSE_KEY: ${{ secrets.BLEEP_LICENSE_KEY }}
- name: Run your build
run: npm run buildDeploy to a fleet of Linux servers (Enterprise)
Use your config management tool (Ansible, Puppet, Chef) or a simple script:
#!/bin/bash
# deploy-bleep.sh — run on each target server
# Install binary
# Get the exact URL from bleep-it.com/dashboard/downloads
curl -fsSL -o /usr/local/bin/bleep-enterprise \
"https://vlhkdtkmpbaqtvayrban.supabase.co/storage/v1/object/public/downloads/VERSION/bleep-enterprise-linux-cli-VERSION"
chmod +x /usr/local/bin/bleep-enterprise
# Trust CA
bleep-enterprise ca trust
# Enroll with admin server
bleep-enterprise enroll --server http://admin-server:8081 --token "$ENROLLMENT_TOKEN"
# Install systemd service
cat > /etc/systemd/system/bleep-enterprise.service <<EOF
[Unit]
Description=Bleep Enterprise AI DLP Proxy
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/bleep-enterprise start --no-system-proxy
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now bleep-enterprise
# Set proxy env for all users
bleep-enterprise env --installMonitor AI usage on a development server
Run in warning mode to observe what data developers are sending to AI services, without blocking anything:
# Start in warning mode — logs everything, blocks nothing
BLEEP_LICENSE_KEY=LIC-XXXX bleep start \
--mode warning \
--bind 0.0.0.0 \
--log-file /var/log/bleep.log \
--no-system-proxy
# On developer machines, point at the shared proxy:
export HTTP_PROXY=http://bleep-server:8080
export HTTPS_PROXY=http://bleep-server:8080Integrate with SIEM
Use --json-events to output violations as JSON lines, then pipe to your SIEM:
# Pipe to syslog
bleep start --json-events 2>&1 | jq -c . | logger -t bleep -p local0.warning
# Write to file for Splunk/Elastic forwarder
bleep start --json-events --log-file /var/log/bleep/events.jsonl
# Example JSON event:
# {"timestamp":"2026-03-23T14:30:00Z","severity":"critical","pattern":"aws_access_key",
# "action":"block","destination":"chat.openai.com","redacted_match":"AKIA***EXAMPLE"}Status Output
Running bleep status displays a summary of the proxy state. Here is a full example with all fields explained:
Individual
$ bleep status
Proxy: running (port 8080)
PAC: port 18080
Mode: warning
License: active (individual)
CA cert: trusted (/home/user/.local/share/bleep/certs/ca.crt)
Patterns: 6 built-in, 2 blocklist
Violations: 12 (last 24h), 47 (total)
System proxy: configured (/etc/profile.d/bleep-proxy.sh)
Apps: git, npm, vscodeEnterprise
$ bleep-enterprise status
Enrollment: enrolled (seat: dev-server-01)
Server: http://10.0.1.50:8081 (Connected)
Last sync: 15s ago
Mode: enforcing
Proxy: running (port 8080)
PAC: port 18080
CA cert: trusted (/root/.local/share/bleep-enterprise/certs/ca.crt)
Tier: Engineering
Blocklist: 3 items
Violations: 5 (last 24h), 23 (total)
System proxy: configured (/etc/profile.d/bleep-proxy.sh)
Apps: git, npm, vscodeField descriptions
| Field | Description |
|---|---|
| Proxy | Proxy daemon state and listen port |
| PAC | PAC file server port |
| Mode | Current operating mode (warning or enforcing) |
| License | License activation status and plan type |
| CA cert | CA certificate trust status and file path |
| Patterns | Count of built-in detection patterns and blocklist items |
| Violations | Violation counts for last 24 hours and total |
| System proxy | Whether system proxy environment is configured and the drop-in file path |
| Apps | Applications configured to route through the proxy |
| Enterprise-only fields | |
| Enrollment | Enrollment status and device seat name |
| Server | Admin server URL and connection status |
| Last sync | Time since last successful sync with the admin server |
| Tier | Policy tier assigned to this device by the admin |
| Blocklist | Number of blocklist items synced from the server |
Use bleep status --json for machine-readable output with the same fields as a JSON object.