Contrast CLI commands
The following is a listing of the commands available to basic and advanced users of Contrast CLI.
Usage:contrast [command] [options]
Authentication/connectivity
For CodeSec users, authenticate using your GitHub or Google account. A new browser window will open for login.
Usage:
contrast auth
If you already have a Contrast account, run the following auth
command to store your credentials locally.
Usage:
contrast auth --api-key <your API key> --authorization <your authorization header> --host <your host domain> --organization-id <your organization ID>
You can then start scanning with the commands.
Displays stored credentials.
Usage:
contrast config
Options:
-c
,--clear
Removes stored credentials.
Displays Contrast CLI version.
Usage:
contrast version
Main functions
Searches for a dependency configuration file in the working directory to perform a security audit of dependencies and returns the results.
Usage:
contrast audit [option]
Options:
--fail
Fail a build based on the severity of CVEs found. Use with the --severity flag. For example, contrast audit --fail --severity high . Returns all failures if no severity level is specified. If a failure is detected the CLI will exit with code 2.
--file
Specify a directory or the file where dependencies are declared. (By default, Contrast CLI will search for project files in the current directory.) If multiple project files are found in the directory, you will be prompted to confirm the file to audit.
Alias:
-f
--ignore-dev
Excludes developer dependencies from the results. All dependencies are included by default.
Alias:
-i
--legacy
Creates an application in Contrast (a legacy workflow). It displays a dependency tree for your piece of code and utilizes metadata. Note that this is only available for Contrast CLI V2.0.
--name
Set a custom project name. If the name is already in use, it will replace the results for that project. Avoid special characters.
--save
Generate and save an SBOM (Software Bill of Materials). Valid options are: --save cyclonedx and --save spdx (CycloneDX is the default format.).
Alias:
-s
--severity
Specify the minimum severity of CVE to fail a build. Use with the --fail flag. For example, contrast audit --fail --severity high. Severity levels are critical, high, medium, low, or note.
--track
By default, results are not held or stored, which would allow you to do local checks via your console. Add the
--track
flag to view your projects' SCA results under the Static view on the Libraries page in the Contrast web interface. Note that this is only available for Contrast CLI V2.0.
Advanced options:
--api-key
Required for Enterprise users. Agent API key provided by Contrast. See agent keys to find your keys.
--application-id
The ID of the application cataloged by Contrast.
--application-name
The name of the application cataloged by Contrast.
--app-groups
Assign your application to one or more preexisting groups when onboarding an application. Group lists should be comma separated.
--authorization
Required for Enterprise users. Authorization header provided by Contrast.
--code
The application code the application should use in Contrast.
--host
Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.
--maven-settings-path
Displays the path to the maven settings.xml file.
--metadata
Define a set of key=value pairs (that conforms to RFC 2253) for specifying user-defined metadata associated with the application.
--organization-id
Required for Enterprise users. The ID of your organization in Contrast. See agent keys to find the ID.
--tags
Apply labels to an application. Labels must be formatted as a comma-delimited list. For example, label1,label2,label3.
Proxy settings:
--cacert
Displays the path to the CaCert (certificate authority (CA) certificates) file.
--cert
Displays the path to the Cert (certificate) file.
--cert-self-signed
For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.
--key
Displays the path to the Certificate Key.
--proxy
Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".
Performs a security SAST scan.
Usage:
contrast scan [option]
Options:
--fail
Fail a build based on the severity of the vulnerability found. Use with the --severity flag. For example, contrast scan --fail --severity high . Returns all failures if no severity level is specified. If a failure is detected the CLI will exit with code 2.
--file
Path of the file you want to scan. Contrast searches for a .jar, .war, .js or .zip file in the working directory if a file is not specified.
Alias:
-f
--host
Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.
--language
Valid values are JAVA, JAVASCRIPT, and DOTNET.
Alias:
-l
--name
Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.
Alias:
-n
--save
Download the results to a Static Analysis Results Interchange Format (SARIF) file. The file is downloaded to the current working directory with a default name of results.sarif. You can view the file with any text editor.
Alias:
-s
--severity
Specify the minimum severity of a vulnerability to fail a build. Use with the --fail flag. For example, contrast scan --fail --severity high. Severity levels are critical, high, medium, low, or note.
--timeout
Time in seconds to wait for the scan to complete. Default value is 300 seconds.
Alias:
-t
Advanced options:
--api-key
Required for Enterprise users. Agent API key provided by Contrast. See agent keys to find your keys
--authorization
Required for Enterprise users. Authorization header provided by Contrast.
-ff
Fire and forget. Do not wait for the result of the scan.
--host
Required for Enterprise users. The host name. For example, https://app.contrastsecurity.com/.
--label
Adds a label to the scan. Defaults to Started by CLI tool at [current date].
--organization-id
Required for Enterprise users. The ID of your organization in Contrast. See agent keys to find the ID.
--project-id
The ID associated with a scan project. To find the ID, select a scan project in Contrast and locate the last number in the URL.
Proxy settings:
--cacert
Displays the path to the CaCert (certificate authority (CA) certificates) file.
--cert
Displays the path to the Cert (certificate) file.
--cert-self-signed
For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.
--key
Displays the path to the Certificate Key.
--proxy
Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".
Name of AWS lambda function to scan.
Usage:
contrast lambda --function-name <function> [options]
Alias:
-f
Options:
--endpoint-url
AWS Endpoint override. Similar to AWS CLI.
Alias:
-e
--region
Region override. Defaults to AWS_DEFAULT_REGION. Similar to AWS CLI.
Alias:
-r
--profile
AWS configuration profile override. Similar to AWS CLI.
Alias:
-p
--json
Return response in JSON (versus default human-readable format).
Alias:
-j
-–verbose
Returns extended information to the terminal.
Alias:
-v
--list-functions
Lists all available lambda functions to scan.
-–help
Displays usage guide.
Alias:
-h
Proxy settings:
--cacert
Displays the path to the CaCert (certificate authority (CA) certificates) file.
--cert
Displays the path to the Cert (certificate) file.
--cert-self-signed
For Contrast on-premises (EOP) users with a local install, will bypass the SSL certificate and recognize a self-signed certificate.
--key
Displays the path to the Certificate Key.
--proxy
Allows for connection via a proxy server. If authentication is required, provide the username and password with the protocol, host, and port. For example, "http://username:password@<host>:<port>".
Help and learn
Displays usage guide. To list detailed help for any CLI command, add the -h or --help flag to the command.
Usage:
contrast scan --help
Alias:
-h
Launch Contrast’s Secure Code Learning Hub.
Usage:
contrast learn