Install the Contrast CLI

To install the Contrast CLI:

  1. Install Node.js. The Contrast CLI is executed as a Node.js package, so this is required. Versions 10, 12, and 14 are currently supported.

  2. Instrument your application.


    It is also possible to register an application that has not yet been instrumented. However, all applications should be instrumented so that your application has a library score and the data in the library grid is populated.

  3. Use the cli_proxy property in your agent configuration to establish communication with Contrast over a proxy.

    If authentication is required, provide the username and password with the protocol, host and port. For example:

  4. Be sure the source code for target applications is available locally. Follow these requirements for your application's language:

    • Java:

      • Maven: A Maven project must be defined with a pom.xml file, and have the Apache Maven Dependency plugin. To test if the CLI works with your project, build a dependency tree by running mvn dependency:tree.

      • Gradle (v4.8 or above): To test if the CLI works with your project, build a dependency tree by running the Gradle dependencies task by running gradle dependencies or ./gradlew dependencies if using the Gradle Wrapper.

    • Node.js: You must have either a package-lock.json or a .yarn.lock file present.

      (Vulnerability reporting is supported for front-end technologies like React or Angular.)

    • Python: You must have the pipfile and pipfile.lock files present.

    • Ruby: You must have gemfile and gemfile.lock files present.

    • Go: You must have go.mod file present.


    Only single language applications are supported at this time.

  5. Run the following command:

    npm install -g @contrast/contrast-cli

    Alternatively, you can install the CLI with Yarn with the following command:

    yarn global add @contrast/contrast-cli


    The Contrast CLI must be installed globally.

  6. Once the installation is complete you can register an application to begin analyzing your code.