Have ideas to improve npm?Join in the discussion! »


0.0.23 • Public • Published

Contrast command line interface

The Contrast CLI performs software composition analysis (SCA) on your application to show you the dependencies between open source libraries, including where vulnerabilities were introduced. By supplementing existing runtime instrumentation from Contrast agents, with data from pre-compile analysis (not typically available at runtime), Contrast can provide a more detailed and comprehensive view of your applications in the Contrast UI.

Our recommendation is that this is invoked as part of a CI pipeline so that running the cli is automated as part of your build process.


Please Note: The Contrast CLI is executed as a Node.js package. We currently support versions 10, 12 and 14.

npm i -g @contrast/contrast-cli


The Contrast CLI creates a dependency tree and shows library vulnerabilities and sends the information to the Contrast UI.

Supported languages and their requirements are:

Java: pom.xml AND Maven build platform, including the dependency plugin. For a Gradle project, use build.gradle. A gradle-wrapper.properties file is also required.
*Please Note: Running "mvn dependency:tree" or "./gradlew dependencies" in the project directory locally must be successful.
We currently support v4.8 and upwards on Gradle projects

Node : package.json AND a lock file either package-lock.json or yarn.lock

Ruby : gemfile AND gemfile.lock

Python : pipfile AND pipfile.lock

How to run:

You can run the tool on the command line and manually add the parameters or you can include the parameters in a YAML file. If you are assessing an application that has not been instrumented by a Contrast agent, you must first use the tool to register the application (Catalogue command). This gives you an application ID that you then use in the Run command.

Allowable language values are JAVA, NODE, PYTHON and RUBY.

Manual Input Of Command

Catalogue Command

To analyse a new application not already instrumented by Contrast, run the following command:

contrast-cli --catalogue_application --api_key YourApiKey --authorization YourAuthorizationKey --organization_id YourOrganizationId --host YourHost --application_name YourApplicationName --language YourApplicationLanguage

After you run this command, you are provided a new application ID in the console. Use this ID to run the following command:

Run Command:

contrast-cli --api_key YourApiKey --authorization YourAuthorizationKey --organization_id YourOrganizationId --host YourHost --application_id YourApplicationId

Please Note: Parameters may need to be quoted to avoid issues with special characters.

Yaml Catalogue Command:

contrast-cli --catalogue_application --yamlPath PathToYaml

Run Command:

contrast-cli --yamlPath PathToYaml

Example Yaml Note all parameters must be named as below

	api_key: YourApiKey
	authorization: YourAuthorizationKey
	organization_id: YourOrganizationId
	host: YourHost
	application_name: YourApplicationName
	language: YourApplicationLanguage
	application_id: YourApplicationId

TLS To enable TLS please use the YAML file with the following parameters:

key: pathToKey
cert: pathToCert
cacert: pathToCaCert


--yamlPath string Used only if you want to run the command with a yaml
--api_key string (required): An agent API key as provided by Contrast UI
--authorization string (required): An agent Authorization credentials as provided by Contrast UI
--organization_id string (required): The ID of your organization in Contrast UI
--application_id string (required): The ID of the application cataloged by Contrast UI
--host string (required): Provide the name of the host and optionally the port expressed as <host>:<port>.
--application_name string (optional): The name of the application cataloged by Contrast UI
--catalogue_application (required for catalogue): Provide this if you want to catalogue an application
--language string (required for catalogue): Valid values are JAVA, DOTNET, NODE, PYTHON and RUBY. If there are multiple project configuration files in the project path, language is also required.
--project_path string (optional): The directory root of a project/application that you would like analyzed. Defaults to current directory.
--app_groups string (optional for catalogue): Assign your application to one or more pre-existing groups when using the catalogue command. Group lists should be comma separated.
--proxy string (optional): Allows for connection via a proxy server. If authentication is required please provide the username and password with the protocol, host and port. For instance: 'http://username:password@:'.
--silent (optional): Silences JSON output.
-v, --version Displays CLI Version you are currently on.
--sub_project string (optional): Specify the sub project within your gradle application.
-h, --help Display usage guide.
-r, --report Display vulnerability information for this application.
-f, --fail Set the process to fail if this option is set in combination with the --report and --cveseverity.
-s, --cve_severity _type
Combined with the --report command, allows the user to report libraries with vulnerabilities above a chosen severity level. For example, cveseverity=medium only reports libraries with vulnerabilities at medium or higher severity. Values for level are high, medium or low.
--cve_threshold _number
The number of CVE's that must be exceeded to fail a build




npm i @contrast/contrast-cli

DownloadsWeekly Downloads






Unpacked Size

280 kB

Total Files


Last publish


  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar
  • avatar