Skip to main content

CodeSec by Contrast Security commands

Authenticate using your GitHub or Google account. A new browser window will open for log in.

  • Usage: contrast auth

Searches for a suitable file in the working directory to perform a security audit of dependencies and returns the results.


pom.xml and Maven build platform including the dependency plugin


build.gradle file and gradle dependencies or ./gradlew dependencies must be supported


package.json and a lock file (either package-lock.json or yarn.lock)


composer.json and composer.lock files


pipfile and pipfile.lock files


gemfile and gemfile.lock files


go.mod file

Usage: contrast audit

  • Options:

    • --file

      Specify a directory or the file where dependencies are declared. (By default, CodeSec will search for project files in the current directory.) If multiple project files are found in the directory, you will be prompted to confirm the file to audit.

      Alias: -f

    • --help

      Displays usage guide.

      Alias: -h

    • --ignore-dev

      Excludes developer dependencies from the results. All dependencies are included by default.

      Alias: -i

    • --save

      Generate and save an SBOM (Software Bill of Materials). Valid options are: --save spdx and --save cyclonedx (CycloneDX is the default format.).

      Alias: -s

Displays stored credentials.

  • Usage: contrast config

  • Options:

    • -c, --clear

      Removes stored credentials.

Performs a security SAST scan.

  • Usage: contrast scan [option]

  • Options:

    • --file

      Path of the file you want to scan. Contrast searches for a .jar, .war, .js or .zip file in the working directory if a file is not specified.

      Alias: -f

    • --name

      Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.

      Alias: –n

    • --save

      Download the results to a Static Analysis Results Interchange Format (SARIF) file. The file is downloaded to the current working directory with a default name of results.sarif. You can view the file with any text editor.

      Alias: -s

    • --timeout

      Time in seconds to wait for the scan to complete. Default value is 300 seconds.

      Alias: -t

Name of AWS lambda function to scan.

  • Usage: contrast lambda --function-name

  • Alias: -f

  • Options:

    • contrast lambda --function-name --endpoint-url

      AWS Endpoint override. Similar to AWS CLI.

      Alias: -e

    • contrast lambda --function-name --region

      Region override. Defaults to AWS_DEFAULT_REGION. Similar to AWS CLI.

      Alias: -r

    • contrast lambda --function-name --profile

      AWS configuration profile override. Similar to AWS CLI.

      Alias: -p

    • contrast lambda --function-name --json

      Return response in JSON (versus default human-readable format).

      Alias: -j

    • contrast lambda -–function-name -–verbose

      Returns extended information to the terminal.

      Alias: -v

    • contrast lambda -–function-name --list-functions

      Lists all available lambda functions to scan.

    • contrast lambda --function-name -–help

      Displays usage guide.

      Alias: -h

Displays usage guide. To list detailed help for any CLI command, add the -h or --help flag to the command.

  • Usage: contrast scan --help

  • Alias: -h

Displays Contrast CLI version.

  • Usage: contrast version