CLI commands
The CLI offers a command line help guide with the --h
or --help
option. The help guide displays the following commands you can use to understand more about Contrast configuration, applications, and vulnerabilities.
In the following examples, replace <string>
or <level>
with the string or level value that applies to your particular situation.
Command | Description |
---|---|
| The path to display parameters from the YAML file (optional) |
| An agent API key provided by Contrast (required) |
| Agent authorization credentials provided by Contrast (required) |
| The ID of your organization in Contrast (required) |
| The ID of the application cataloged by Contrast (required) |
| The name of the application cataloged by Contrast (optional) |
| Catalog an application (required for |
| Valid values are JAVA, NODE, PYTHON, RUBY and GO. (Note: The Go agent is in beta). If there are multiple project configuration files in the |
| Assigns your application to one or more pre-existing groups when using the |
| Allows for connection over a proxy server. If authentication is required, provide the username and password with the protocol, host and port. For example, http://username:password@<host>:<port>. (optional) |
| The name of the host and, optionally, the port expressed as |
| The directory root of a project/application that you want to analyze. Defaults to the current directory. (optional) |
| Combined with |
| Sets the number of CVEs allowed before a build is failed. If there are more CVEs than the threshold, the build will fail. |
| Fails the build if any vulnerabilities are found. Can be used in combination with |
| Shows a report of vulnerabilities in the application from compile time. |
| Silences JSON output. (optional) |
| Displays the CLI version you are currently using. |
| Displays the help guide. |
Note
Parameters in these commands may need to be quoted to avoid issues with special characters. For example:
--application_name = "My_app_name_$+=(/\"
Tip
The --report
command can be used to return details of all vulnerable libraries in the terminal response. Every CVE found will have output like this:
org.webjars/jquery-ui/1.11.4 is vulnerable CVE-2016-7103 MEDIUMCross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
The vulnerable records returned can be restricted by using the cve_severity
parameter which sets the minimum threshold for a CVE to be reported.
To prevent an application from being deployed with a library above a severity threshold the --fail
parameter can be used as part of an automated CI/CD pipeline. For example, you can run the CLI using a YAML file with:
contrast-cli --yamlPath path/to/yaml --report --cve_severity high --fail