Get started with rl-protect

This quick start guide is for users who want to try the ReversingLabs rl-protect tool in 10 minutes.

In this guide, you will learn how to set up rl-protect, scan a package manifest file, and export the analysis report. To learn about all supported features and functionalities, refer to the Supported rl-protect commands section in our documentation.

Prerequisites

The following tasks should be completed before you start working with rl-protect:

• Install the required Python version. rl-protect requires Python 3.8 or newer.

• Make sure you have the latest pip version. Use the following command to upgrade pip.

python3 -m pip install -U pip

• Get a token for your user account. You can use rl-protect with a free Spectra Assure Community account or with a Spectra Assure Portal account. Community tokens have the prefix rlcmm, and Portal tokens have the prefix rls3c. The token is required for authenticating rl-protect to the Spectra Assure APIs.

Community account

1. Create a free account on the Spectra Assure Community website.

2. In your user profile on the Community website, create an access token. Provide a custom name for your token. Set the token expiration date or use the default value.

3. When a token is generated, it’s displayed only once. Copy the token and store it in a safe place. This is the only way to obtain the token you just created!

Portal account

1. If you're currently a Spectra Assure Portal user, create a token in your Portal user profile.

2. Set a name and expiration date for the token.

3. Copy the token and save it for later use.

Download rl-protect

Current version (26/03/2026)

Current version of rl-protect is 1.0.0.

rl-protect requires Python 3.8 or newer and supports the following systems and architectures:

• Windows 10 and later, 64-bit
• Linux x86 (all major distributions), 64-bit

You can download and install rl-protect from any of the sources listed in the following table. SHA-256 checksums for installer packages are included in the table for integrity verification purposes.

Format	Download links	SHA-256 checksum
Python package	Download from PyPI	Available on PyPI
Linux package (RPM)	Direct download	5824a0182ed19da2465ffea9fd87b6d1508675b44f589306d17a9f6d4e06bf78
Linux package (TGZ)	Direct download	1b05e7a9bc908a4037ad8d152114ab2799c7fae8ef76dc7a4ff7abb674ddd81a
Windows installer (EXE)	Direct download	a6dba28ad49e2c42def01dab000339334a0a01e7193e39aa02db34e503ec5239

The rl-protect tool does not self-update. If you want to use standalone installation packages, you'll have to download the new versions when they are released.

Users who install rl-protect from PyPI can get the latest version through pip.

If you already have rl-protect on your machine, installing the latest version of the tool automatically replaces the existing version. Any existing connections and configuration are preserved across upgrades.

1. Install rl-protect locally

In this step, you will install rl-protect on your local system.

Install from PyPI

1. Install the latest rl-protect version from PyPI with pip.

python -m pip install rl-protect

If the installation command fails with a permissions-related error because the user is in a managed or restricted environment, try installing into the user's local site-packages instead:

python -m pip install --user rl-protect

(We're using the python3 -m approach to prevent issues with the pip version in your $PATH in case you have multiple Python installations on your machine.)

2. To confirm that rl-protect is successfully installed on your system, run the following command in the terminal.

rl-protect --version

On Windows, you may need to add the rl-protect executable location to the PATH system environment variable to be able to run it from anywhere.

Install from standalone package

1. In your terminal, navigate to the directory where you want to install rl-protect.

2. Download the standalone installation package of rl-protect for your platform. You can use the following direct links to download the packages in your browser, or use a CLI tool like curl or wget to download them in the terminal.

• Linux: RPM, TGZ
• Windows: Windows executable

3. Install the latest rl-protect version from the package you downloaded.

Linux

yum install /path/to/rl-protect.rpm

Windows

X:\path\to\rl-rl-protect.exe

4. To confirm rl-protect is successfully installed on your system, run the following command in the terminal.

rl-protect --version

2. Connect rl-protect to a Spectra Assure account

In this step, you will provide your token to rl-protect so that it can connect to your Community or Portal user account.

To configure the connection, we're using the rl-protect server command. With this command, you can manage multiple connections and store tokens in the configuration so that you don't have to input them every time you use rl-protect.

Community account

Typically, Community users will only have one connection associated with their account. In most cases, it is recommended to use the default connection.

1. In your terminal, run the following command. It will associate your token with the existing default connection and save it in the rl-protect configuration. The --rl-token parameter is required.

rl-protect server update \
  --connection-id=default \
  --rl-token=<your-community-token> \
  --save-token=true

2. To check which connections are configured and active, run:

rl-protect server list

Portal account

Portal users may want to configure multiple connections; for example, each one for a different Portal group. To do this, you must set a different name for each connection with the --connection-id parameter. If the connection ID is not specified in the rl-protect server command, it will modify the default connection.

1. In your terminal, run the following command. It will create a new connection named my-portal-connection, associate your token with it, and save it in the rl-protect configuration. The --rl-server, --rl-org, and --rl-token parameters are required.

rl-protect server connect my-portal-connection \
    --rl-server=my.secure.software/organization \
    --rl-org=MyOrg \
    --rl-token=<your-portal-token> \
    --rl-group=MyGroup \
    --save-token=true

2. To check which connections are configured and active, run:

rl-protect server list

3. Scan a package manifest file and save the report

In this step, you will scan a package manifest file with rl-protect and export the findings as a JSON file. To do this, we're using the rl-protect scan command.

1. In your terminal, navigate to the directory containing the package manifest file you want to scan. In this example, we're scanning a manifest file for npm packages (package.json).

2. Run the rl-protect scan command followed by the path to the manifest file. In this example, we're using additional parameters to check release and develop dependencies, hide the progress bar in the output, show only failing dependencies in the output, and save the scan results as an rl-protect.json report file in the current directory. If you don't specify the connection-id in the command, the default connection is used automatically.

Input

rl-protect scan package.json \
    --check-deps=release,develop \
    --no-tracking \
    --fail-only \
    --save-report=rl-protect.json

Output

--------------------------------------------------------------------------------
 [ FAIL ] DEPENDENCY / pkg:npm/request@2.88.2 / release
--------------------------------------------------------------------------------
    [ Secrets          o No sensitive information found                     ]
    [ Licenses         o No license compliance issues                       ]
    [ Vulnerabilities  x 3 severe vulnerabilities exploited                 ]
    [ Hardening        o No application hardening issues                    ]
    [ Tampering        o No evidence of software tampering                  ]
    [ Malware          o No evidence of malware inclusion                   ]
    - More Info -------------------------------------------------------------
        https://secure.software/npm/packages/request/2.88.2
--------------------------------------------------------------------------------
 [ FAIL ] DEPENDENCY / pkg:npm/express@5.0.0-beta.3 / release
--------------------------------------------------------------------------------
    [ Secrets          o No sensitive information found                     ]
    [ Licenses         o No license compliance issues                       ]
    [ Vulnerabilities  x 1 severe vulnerabilities exploited                 ]
    [ Hardening        o No application hardening issues                    ]
    [ Tampering        o No evidence of software tampering                  ]
    [ Malware          o No evidence of malware inclusion                   ]
    - More Info -------------------------------------------------------------
        https://secure.software/npm/packages/express/5.0.0-beta.3
--------------------------------------------------------------------------------
SCANNED: 49 dependencies
RESULTS: [ FAIL ] 2
         [ WARN ] 4
         [ PASS ] 43
--------------------------------------------------------------------------------

The command output shows the total amount of scanned dependencies and a summary of their results. The exported report file should contain all available metadata about analyzed packages and dependencies retrieved from the Spectra Assure APIs.

Congratulations!

You have successfully completed a basic workflow with ReversingLabs rl-protect.

Explore the resources on this documentation website to learn how you can secure your software with ReversingLabs Spectra Assure products.

Next steps

• Learn more about the rl-profile configuration schema to be able to customize profiles

• Read about all supported rl-protect commands in the reference documentation