Contrast CLI commands
The following is a listing of the commands available to basic and advanced users of Contrast CLI.
Usage: contrast [command] [options]
Searches for a dependency configuration file in the working directory to perform a security audit of dependencies and returns the results.
Java | pom.xml and Maven build platform including the dependency plugin OR build.gradle file and gradle dependencies or ./gradlew dependencies must be supported |
.NET Core | MSBuild 15.0 or greater and a packages.lock.json file. Note: If the packages.lock.json file is unavailable it can be generated by setting |
Node | package.json and a lock file (either package-lock.json or yarn.lock) |
PHP | composer.json and composer.lock files |
Python | pipfile and pipfile.lock files |
Ruby | gemfile and gemfile.lock files |
Go | go.mod file |
Usage:
contrast audit [option]
Note
By default, results are not held or stored, which would allow you to do local checks via your console. Add the
--track
flag to thecontrast audit
command to view your SCA results via the dependency tree in the Contrast web interface.Options:
--fail
Fail a build based on the severity of CVEs found. Use with the --severity flag. For example, contrast audit --fail --severity high . Returns all failures if no severity level is specified. If a failure is detected the CLI will exit with code 2.
--file
Specify a directory or the file where dependencies are declared. (By default, Contrast CLI will search for project files in the current directory.) If multiple project files are found in the directory, you will be prompted to confirm the file to audit.
Alias:
-f
--ignore-dev
Excludes developer dependencies from the results. All dependencies are included by default.
Alias:
-i
--save
Generate and save an SBOM (Software Bill of Materials). Valid options are: --save spdx and --save cyclonedx (CycloneDX is the default format.).
Alias:
-s
--severity
Specify the severity of CVE to fail a build. Use with the --fail flag. For example, contrast audit --fail --severity high. Severity levels are critical, high, medium, low, or note.
Advanced options:
--api-key
Required for Enterprise users. Agent API key provided by Contrast. See agent keys to find your keys.
--application-id
The ID of the application cataloged by Contrast.
--application-name
The name of the application cataloged by Contrast.
--app-groups
Assign your application to one or more preexisting groups when onboarding an application. Group lists should be comma separated.
--authorization
Required for Enterprise users. Authorization header provided by Contrast.
--code
The application code the application should use in Contrast.
--host
Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.
--maven-settings-path
Displays the path to the maven settings.xml file.
--metadata
Define a set of key=value pairs (that conforms to RFC 2253) for specifying user-defined metadata associated with the application.
--organization-id
Required for Enterprise users. The ID of your organization in Contrast. See agent keys to find the ID.
--tags
Apply labels to an application. Labels must be formatted as a comma-delimited list. For example, label1,label2,label3.
--track
Send your dependency audit to Contrast to see the results in the Contrast web interface and start automating security checks.
Proxy settings:
--cacert
Displays the path to the CaCert (certificate authority (CA) certificates) file.
--cert
Displays the path to the Cert (certificate) file.
--cert-self-signed
For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.
--key
Displays the path to the Certificate Key.
--proxy
Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".
For CodeSec users, authenticate using your GitHub or Google account. A new browser window will open for log in.
Usage:
contrast auth
If you already have a Contrast account, run the following auth
command to store your credentials locally.
Usage:
contrast auth --api-key <your API key> --authorization <your authorization header> --host <your host domain> --organization-id <your organization ID>
You can then start scanning using these commands.
Displays stored credentials.
Usage:
contrast config
Options:
-c
,--clear
Removes stored credentials.
Displays usage guide. To list detailed help for any CLI command, add the -h or --help flag to the command.
Usage:
contrast scan --help
Alias:
-h
Name of AWS lambda function to scan.
Usage:
contrast lambda --function-name <function> [options]
Alias:
-f
Options:
--endpoint-url
AWS Endpoint override. Similar to AWS CLI.
Alias:
-e
--region
Region override. Defaults to AWS_DEFAULT_REGION. Similar to AWS CLI.
Alias:
-r
--profile
AWS configuration profile override. Similar to AWS CLI.
Alias:
-p
--json
Return response in JSON (versus default human-readable format).
Alias:
-j
-–verbose
Returns extended information to the terminal.
Alias:
-v
--list-functions
Lists all available lambda functions to scan.
-–help
Displays usage guide.
Alias:
-h
Proxy settings:
--cacert
Displays the path to the CaCert (certificate authority (CA) certificates) file.
--cert
Displays the path to the Cert (certificate) file.
--cert-self-signed
For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.
--key
Displays the path to the Certificate Key.
--proxy
Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".
Launch Contrast’s Secure Code Learning Hub.
Usage:
contrast learn
Performs a security SAST scan.
Usage:
contrast scan [option]
Options:
--fail
Fail a build based on the severity of the vulnerability found. Use with the --severity flag. For example, contrast scan --fail --severity high . Returns all failures if no severity level is specified. If a failure is detected the CLI will exit with code 2.
--file
Path of the file you want to scan. Contrast searches for a .jar, .war, .js or .zip file in the working directory if a file is not specified.
Alias:
-f
--host
Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.
--language
Valid values are JAVA, JAVASCRIPT, and DOTNET.
Alias:
-l
--name
Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.
Alias:
-n
--save
Download the results to a Static Analysis Results Interchange Format (SARIF) file. The file is downloaded to the current working directory with a default name of results.sarif. You can view the file with any text editor.
Alias:
-s
--severity
Specify the severity of a vulnerability to fail a build. Use with the --fail flag. For example, contrast scan --fail --severity high. Severity levels are critical, high, medium, low, or note.
--timeout
Time in seconds to wait for the scan to complete. Default value is 300 seconds.
Alias:
-t
Advanced options:
--api-key
Required for Enterprise users. Agent API key provided by Contrast. See agent keys to find your keys
--authorization
Required for Enterprise users. Authorization header provided by Contrast.
-ff
Fire and forget. Do not wait for the result of the scan.
--host
Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.
--label
Adds a label to the scan. Defaults to Started by CLI tool at [current date].
--organization-id
Required for Enterprise users. The ID of your organization in Contrast. See agent keys to find the ID.
--project-id
The ID associated with a scan project. To find the ID, select a scan project in Contrast and locate the last number in the URL.
Proxy settings:
--cacert
Displays the path to the CaCert (certificate authority (CA) certificates) file.
--cert
Displays the path to the Cert (certificate) file.
--cert-self-signed
For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.
--key
Displays the path to the Certificate Key.
--proxy
Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".
Displays Contrast CLI version.
Usage:
contrast version