Skip to main content

CodeSec by Contrast Security commands

auth

Authenticate using your GitHub or Google account. A new browser window will open for log in.

  • Usage: contrast auth

audit

Searches for a suitable file in the working directory to perform a security audit of dependencies and returns the results.

Java

pom.xml and Maven build platform including the dependency plugin

OR

build.gradle file and gradle dependencies or ./gradlew dependencies must be supported

Node

package.json and a lock file (either package-lock.json or yarn.lock)

PHP

composer.json and composer.lock files

Python

pipfile and pipfile.lock files

Ruby

gemfile and gemfile.lock files

Go

go.mod file

Usage: contrast audit

  • Options:

    • --file

      Specify a directory or the file where dependencies are declared. (By default, CodeSec will search for project files in the current directory.) If multiple project files are found in the directory, you will be prompted to confirm the file to audit.

      Alias: -f

    • --help

      Displays usage guide.

      Alias: -h

    • --ignore-dev

      Excludes developer dependencies from the results. All dependencies are included by default.

      Alias: -i

    • --save

      Generate and save an SBOM (Software Bill of Materials). Valid options are: --save spdx and --save cyclonedx (CycloneDX is the default format.).

      Alias: -s

config

Displays stored credentials.

  • Usage: contrast config

  • Options:

    • -c, --clear

      Removes stored credentials.

scan

Performs a security SAST scan.

  • Usage: contrast scan [option]

  • Options:

    • --file

      Path of the file you want to scan. Contrast searches for a .jar, .war, .js or .zip file in the working directory if a file is not specified.

      Alias: -f

    • --name

      Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.

      Alias: –n

    • --save

      Download the results to a Static Analysis Results Interchange Format (SARIF) file. The file is downloaded to the current working directory with a default name of results.sarif. You can view the file with any text editor.

      Alias: -s

    • --timeout

      Time in seconds to wait for the scan to complete. Default value is 300 seconds.

      Alias: -t

lambda

Name of AWS lambda function to scan.

  • Usage: contrast lambda --function-name

  • Alias: -f

  • Options:

    • contrast lambda --function-name --endpoint-url

      AWS Endpoint override. Similar to AWS CLI.

      Alias: -e

    • contrast lambda --function-name --region

      Region override. Defaults to AWS_DEFAULT_REGION. Similar to AWS CLI.

      Alias: -r

    • contrast lambda --function-name --profile

      AWS configuration profile override. Similar to AWS CLI.

      Alias: -p

    • contrast lambda --function-name --json

      Return response in JSON (versus default human-readable format).

      Alias: -j

    • contrast lambda -–function-name -–verbose

      Returns extended information to the terminal.

      Alias: -v

    • contrast lambda -–function-name --list-functions

      Lists all available lambda functions to scan.

    • contrast lambda --function-name -–help

      Displays usage guide.

      Alias: -h

help

Displays usage guide. To list detailed help for any CLI command, add the -h or --help flag to the command.

  • Usage: contrast scan --help

  • Alias: -h

version

Displays Contrast CLI version.

  • Usage: contrast version

In this section: