Skip to main content

Use Assess CLI with Node.js agents

Use this procedure if you are using Contrast Node.js agents and want to find vulnerabilities while running API or end-to-end testing..

Before you begin

  • Verify your application can use the Assess CLI by checking the Node.js supported technologies.

  • Contrast Assess is intended for server-side applications only. Assess does not detect vulnerabilities in client-side code.

  • The Node.js agent can only instrument JavaScript applications. If you are using TypeScript for your server-side code, transpile it to JavaScript.


  1. Install the latest version of the agent from the application's root directory with this command:

    npm install @contrast/agent

    If you want to use yarn, use this command:

    yarn add @contrast/agent


    Do not create a configuration (YAML) file for the agent. The Assess CLI creates this file automatically.

  2. Open a terminal window and enter the Assess CLI command.

    contrast assess

    This command generates the agent configuration file that the Contrast CLI and the agent share. CLI commands describes the options for this command, including the path for the configuration file.

    You see output similar to this:

    ✔Configuration file found at "user_path"

    ⠼ Waiting for the session to be created.

  3. In your IDE or a second terminal window, run your application with a command similar to this one:

    node -r @contrast/agent <server.js>

    Replace <server.js> with your Node.js application's server start command. Adjust the command based on your application specifics.

    This command requires the Contrast agent for Node.js and instruments your application’s source code as it is read by the Node.js engine.

  4. Exercise your application, either interactively or using automated API or end-to-end tests.

  5. View the results in the terminal window where you entered the Assess CLI command.