Skip to main content

Contrast CLI commands

The following is a listing of the commands available to basic and advanced users of Contrast CLI.

Usage:contrast [command] [options]

Authentication/connectivity

For CodeSec users, authenticate using your GitHub or Google account. A new browser window will open for login.

  • Usage: contrast auth

If you already have a Contrast account, run the following auth command to store your credentials locally.

  • Usage:

    contrast auth 
    --api-key <your API key> 
    --authorization <your authorization header> 
    --host <your host domain> 
    --organization-id <your organization ID> 

You can then start scanning with the commands.

Displays stored credentials.

  • Usage: contrast config

  • Options:

    • -c, --clear

      Removes stored credentials.

Displays Contrast CLI version.

  • Usage: contrast version

Main functions

Searches for a dependency configuration file in the working directory to perform a security audit of dependencies and returns the results.

  • Usage:contrast audit [option]

  • Options:

    • --fail

      Fail a build based on the severity of CVEs found. Use with the --severity flag. For example, contrast audit --fail --severity high . Returns all failures if no severity level is specified. If a failure is detected the CLI will exit with code 2.

    • --file

      Specify a directory or the file where dependencies are declared. (By default, Contrast CLI will search for project files in the current directory.) If multiple project files are found in the directory, you will be prompted to confirm the file to audit.

      Alias:-f

    • --ignore-dev

      Excludes developer dependencies from the results. All dependencies are included by default.

      Alias:-i

    • --legacy

      Creates an application in Contrast (a legacy workflow). It displays a dependency tree for your piece of code and utilizes metadata. Note that this is only available for Contrast CLI V2.0.

    • --name

      Set a custom project name. If the name is already in use, it will replace the results for that project. Avoid special characters.

    • --save

      Generate and save an SBOM (Software Bill of Materials). Valid options are: --save cyclonedx and --save spdx (CycloneDX is the default format.).

      Alias:-s

    • --severity

      Specify the minimum severity of CVE to fail a build. Use with the --fail flag. For example, contrast audit --fail --severity high. Severity levels are criticalhighmediumlow, or note.

    • --track

      By default, results are not held or stored, which would allow you to do local checks via your console. Add the --track flag to view your projects' SCA results under the Static view on the Libraries page in the Contrast web interface. Note that this is only available for Contrast CLI V2.0.

  • Advanced options:

    • --api-key

      Required for Enterprise users. Agent API key provided by Contrast. See agent keys to find your keys.

    • --application-id

      The ID of the application cataloged by Contrast.

    • --application-name

      The name of the application cataloged by Contrast.

    • --app-groups

      Assign your application to one or more preexisting groups when onboarding an application. Group lists should be comma separated.

    • --authorization

      Required for Enterprise users. Authorization header provided by Contrast.

    • --code

      The application code the application should use in Contrast.

    • --host

      Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.

    • --maven-settings-path

      Displays the path to the maven settings.xml file.

    • --metadata

      Define a set of key=value pairs (that conforms to RFC 2253) for specifying user-defined metadata associated with the application.

    • --organization-id

      Required for Enterprise users. The ID of your organization in Contrast. See agent keys to find the ID.

    • --tags

      Apply labels to an application. Labels must be formatted as a comma-delimited list. For example, label1,label2,label3.

  • Proxy settings:

    • --cacert

      Displays the path to the CaCert (certificate authority (CA) certificates) file.

    • --cert

      Displays the path to the Cert (certificate) file.

    • --cert-self-signed

      For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.

    • --key

      Displays the path to the Certificate Key.

    • --proxy

      Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".

Performs a security SAST scan.

  • Usage: contrast scan [option]

  • Options:

    • --fail

      Fail a build based on the severity of the vulnerability found. Use with the --severity flag. For example, contrast scan --fail --severity high . Returns all failures if no severity level is specified. If a failure is detected the CLI will exit with code 2.

    • --file

      Path of the file you want to scan. Contrast searches for a .jar, .war, .js or .zip file in the working directory if a file is not specified.

      Alias: -f

    • --host

      Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.

    • --language

      Valid values are JAVA, JAVASCRIPT, and DOTNET.

      Alias: -l

    • --name

      Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.

      Alias: -n

    • --save

      Download the results to a Static Analysis Results Interchange Format (SARIF) file. The file is downloaded to the current working directory with a default name of results.sarif. You can view the file with any text editor.

      Alias: -s

    • --severity

      Specify the minimum severity of a vulnerability to fail a build. Use with the --fail flag. For example, contrast scan --fail --severity high. Severity levels are critical, high, medium, low, or note.

    • --timeout

      Time in seconds to wait for the scan to complete. Default value is 300 seconds.

      Alias: -t

  • Advanced options:

    • --api-key

      Required for Enterprise users. Agent API key provided by Contrast. See agent keys to find your keys

    • --authorization

      Required for Enterprise users. Authorization header provided by Contrast.

    • -ff

      Fire and forget. Do not wait for the result of the scan.

    • --host

      Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.

    • --label

      Adds a label to the scan. Defaults to Started by CLI tool at [current date].

    • --organization-id

      Required for Enterprise users. The ID of your organization in Contrast. See agent keys to find the ID.

    • --project-id

      The ID associated with a scan project. To find the ID, select a scan project in Contrast and locate the last number in the URL.

  • Proxy settings:

    • --cacert

      Displays the path to the CaCert (certificate authority (CA) certificates) file.

    • --cert

      Displays the path to the Cert (certificate) file.

    • --cert-self-signed

      For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.

    • --key

      Displays the path to the Certificate Key.

    • --proxy

      Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".

Name of AWS lambda function to scan.

  • Usage: contrast lambda --function-name <function> [options]

  • Alias: -f

  • Options:

    • --endpoint-url

      AWS Endpoint override. Similar to AWS CLI.

      Alias: -e

    • --region

      Region override. Defaults to AWS_DEFAULT_REGION. Similar to AWS CLI.

      Alias: -r

    • --profile

      AWS configuration profile override. Similar to AWS CLI.

      Alias: -p

    • --json

      Return response in JSON (versus default human-readable format).

      Alias: -j

    • -–verbose

      Returns extended information to the terminal.

      Alias: -v

    • --list-functions

      Lists all available lambda functions to scan.

    • -–help

      Displays usage guide.

      Alias: -h

  • Proxy settings:

    • --cacert

      Displays the path to the CaCert (certificate authority (CA) certificates) file.

    • --cert

      Displays the path to the Cert (certificate) file.

    • --cert-self-signed

      For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.

    • --key

      Displays the path to the Certificate Key.

    • --proxy

      Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".

Help and learn

Displays usage guide. To list detailed help for any CLI command, add the -h or --help flag to the command.

  • Usage: contrast scan --help

  • Alias: -h

Launch Contrast’s Secure Code Learning Hub.

  • Usage: contrast learn