Skip to main content

Contrast CLI commands

The following is a listing of the commands available to basic and advanced users of Contrast CLI.

Usage: contrast [command] [options]

Searches for a dependency configuration file in the working directory to perform a security audit of dependencies and returns the results.

Java

pom.xml and Maven build platform including the dependency plugin

OR

build.gradle file and gradle dependencies or ./gradlew dependencies must be supported

.NET Core

MSBuild 15.0 or greater and a packages.lock.json file. Note: If the packages.lock.json file is unavailable it can be generated by setting RestorePackagesWithLockFile to true within each *.csproj file and running dotnet build.

Node

package.json and a lock file (either package-lock.json or yarn.lock)

PHP

composer.json and composer.lock files

Python

pipfile and pipfile.lock files

Ruby

gemfile and gemfile.lock files

Go

go.mod file

  • Usage: contrast audit [option]

    Note

    By default, results are not held or stored, which would allow you to do local checks via your console. Add the --track flag to the contrast audit command to view your SCA results via the dependency tree in the Contrast web interface.

  • Options:

    • --fail

      Fail a build based on the severity of CVEs found. Use with the --severity flag. For example, contrast audit --fail --severity high . Returns all failures if no severity level is specified. If a failure is detected the CLI will exit with code 2.

    • --file

      Specify a directory or the file where dependencies are declared. (By default, Contrast CLI will search for project files in the current directory.) If multiple project files are found in the directory, you will be prompted to confirm the file to audit.

      Alias:-f

    • --ignore-dev

      Excludes developer dependencies from the results. All dependencies are included by default.

      Alias:-i

    • --save

      Generate and save an SBOM (Software Bill of Materials). Valid options are: --save spdx and --save cyclonedx (CycloneDX is the default format.).

      Alias:-s

    • --severity

      Specify the severity of CVE to fail a build. Use with the --fail flag. For example, contrast audit --fail --severity high. Severity levels are criticalhighmediumlow, or note.

  • Advanced options:

    • --api-key

      Required for Enterprise users. Agent API key provided by Contrast. See agent keys to find your keys.

    • --application-id

      The ID of the application cataloged by Contrast.

    • --application-name

      The name of the application cataloged by Contrast.

    • --app-groups

      Assign your application to one or more preexisting groups when onboarding an application. Group lists should be comma separated.

    • --authorization

      Required for Enterprise users. Authorization header provided by Contrast.

    • --code

      The application code the application should use in Contrast.

    • --host

      Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.

    • --maven-settings-path

      Displays the path to the maven settings.xml file.

    • --metadata

      Define a set of key=value pairs (that conforms to RFC 2253) for specifying user-defined metadata associated with the application.

    • --organization-id

      Required for Enterprise users. The ID of your organization in Contrast. See agent keys to find the ID.

    • --tags

      Apply labels to an application. Labels must be formatted as a comma-delimited list. For example, label1,label2,label3.

    • --track

      Send your dependency audit to Contrast to see the results in the Contrast web interface and start automating security checks.

  • Proxy settings:

    • --cacert

      Displays the path to the CaCert (certificate authority (CA) certificates) file.

    • --cert

      Displays the path to the Cert (certificate) file.

    • --cert-self-signed

      For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.

    • --key

      Displays the path to the Certificate Key.

    • --proxy

      Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".

For CodeSec users, authenticate using your GitHub or Google account. A new browser window will open for log in.

  • Usage: contrast auth

If you already have a Contrast account, run the following auth command to store your credentials locally.

  • Usage:

    contrast auth
    --api-key <your API key>
    --authorization <your authorization header>
    --host <your host domain>
    --organization-id <your organization ID>

    You can then start scanning using these commands.

Displays stored credentials.

  • Usage: contrast config

  • Options:

    • -c, --clear

      Removes stored credentials.

Displays usage guide. To list detailed help for any CLI command, add the -h or --help flag to the command.

  • Usage: contrast scan --help

  • Alias: -h

Name of AWS lambda function to scan.

  • Usage: contrast lambda --function-name <function> [options]

  • Alias: -f

  • Options:

    • --endpoint-url

      AWS Endpoint override. Similar to AWS CLI.

      Alias: -e

    • --region

      Region override. Defaults to AWS_DEFAULT_REGION. Similar to AWS CLI.

      Alias: -r

    • --profile

      AWS configuration profile override. Similar to AWS CLI.

      Alias: -p

    • --json

      Return response in JSON (versus default human-readable format).

      Alias: -j

    • -–verbose

      Returns extended information to the terminal.

      Alias: -v

    • --list-functions

      Lists all available lambda functions to scan.

    • -–help

      Displays usage guide.

      Alias: -h

  • Proxy settings:

    • --cacert

      Displays the path to the CaCert (certificate authority (CA) certificates) file.

    • --cert

      Displays the path to the Cert (certificate) file.

    • --cert-self-signed

      For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.

    • --key

      Displays the path to the Certificate Key.

    • --proxy

      Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".

Launch Contrast’s Secure Code Learning Hub.

  • Usage: contrast learn

Performs a security SAST scan.

  • Usage: contrast scan [option]

  • Options:

    • --fail

      Fail a build based on the severity of the vulnerability found. Use with the --severity flag. For example, contrast scan --fail --severity high . Returns all failures if no severity level is specified. If a failure is detected the CLI will exit with code 2.

    • --file

      Path of the file you want to scan. Contrast searches for a .jar, .war, .js or .zip file in the working directory if a file is not specified.

      Alias: -f

    • --host

      Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.

    • --language

      Valid values are JAVA, JAVASCRIPT, and DOTNET.

      Alias: -l

    • --name

      Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.

      Alias: -n

    • --save

      Download the results to a Static Analysis Results Interchange Format (SARIF) file. The file is downloaded to the current working directory with a default name of results.sarif. You can view the file with any text editor.

      Alias: -s

    • --severity

      Specify the severity of a vulnerability to fail a build. Use with the --fail flag. For example, contrast scan --fail --severity high. Severity levels are critical, high, medium, low, or note.

    • --timeout

      Time in seconds to wait for the scan to complete. Default value is 300 seconds.

      Alias: -t

  • Advanced options:

    • --api-key

      Required for Enterprise users. Agent API key provided by Contrast. See agent keys to find your keys

    • --authorization

      Required for Enterprise users. Authorization header provided by Contrast.

    • -ff

      Fire and forget. Do not wait for the result of the scan.

    • --host

      Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.

    • --label

      Adds a label to the scan. Defaults to Started by CLI tool at [current date].

    • --organization-id

      Required for Enterprise users. The ID of your organization in Contrast. See agent keys to find the ID.

    • --project-id

      The ID associated with a scan project. To find the ID, select a scan project in Contrast and locate the last number in the URL.

  • Proxy settings:

    • --cacert

      Displays the path to the CaCert (certificate authority (CA) certificates) file.

    • --cert

      Displays the path to the Cert (certificate) file.

    • --cert-self-signed

      For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.

    • --key

      Displays the path to the Certificate Key.

    • --proxy

      Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".

Displays Contrast CLI version.

  • Usage: contrast version