Skip to main content

Register applications with the Contrast CLI

Once you install the Contrast CLI you must first register applications in order to see the results in Contrast.

Tip

You may want to invoke the Contrast CLI as part of your automated build process.

  1. Locate your application ID. The application ID is the last URI segment in the Contrast URL in your browser.

    URI.png
  2. Locate your keys. You will need:

    • API key

    • Organization ID

    • Authorization header

    • Server host name from the Contrast URL

      Note

      You only need to enter the server host name. For example, if the Contrast URL is https://app.contrastsecurity.com/file/path/, just enter:

      --host app.contrastsecurity.com
  3. To begin analysis, use one of these options:

    • Replace <APIKey>, <AuthorizationKey>, <OrganizationID>, <Host> and <ApplicationID> with your API key, authorization header, Organization ID, host name and application ID, then run the CLI.

      contrast-cli \
      --api_key <APIKey> \
      --authorization <AuthorizationKey> \
      --organization_id <OrganizationId> \
      --host <Host> \
      --application_id <ApplicationId>
    • Place credentials within a YAML file, using the same replacements:

      cli:
          api_key: <APIKey>
          authorization: <AuthorizationKey>
          organization_id: <OrganizationId> 
          host: <Host>
          application_id: <ApplicationId>

      Replace <path/to/yaml> with your YAML path, and run this command to initiate:

      contrast-cli --yaml_path <path/to/yaml>

      Note

      If you need to go through a communication protocol like Transport Layer Security (TLS) for example add the following parameters to the YAML file:

      key: pathToKey
      cert: pathToCert
      cacert: pathToCaCert
  4. After you see a success message, you are ready to view the dependency tree.

Tip

It is possible to add a new application to Contrast without instrumenting the application by using the --catalogue_application and --application_name options. However, it is best to instrument the application so that the library score and library grid are populated in Contrast.

For example:

contrast-cli \
--catalogue_application \
--api_key <YourApiKey> \
--authorization <YourAuthorizationKey> \
--organization_id <YourOrganizationID> \
--host <YourHost> \
--application_name <YourApplicationName> \
--language <YourApplicationLanguage>

Replace <APIKey> with your API key, <AuthorizationKey> with the authorization header, <OrganizationID> with your organization ID, <Host> with your host name, <ApplicationName> with your application name, and <ApplicationLanguage> with your application language. Allowable language values are JAVA, DOTNET, NODE, PHP, PYTHON, RUBY, and GO.

You will know the catalogue operation was successful if an application ID is displayed in the console.

Note

You can also register an application and create an SBOM report at the same time with a set of CLI commands.