| title | description |
|---|---|
CLI |
Supercharge your security from the command line |
Corgea CLI is a powerful developer tool that helps you find and fix security vulnerabilities in your code. Using our AI-powered scanner (BLAST) and platform, Corgea identifies complex security issues like business logic flaws, authentication vulnerabilities, and other hard-to-find bugs. The CLI provides commands to scan your codebase, inspect findings, interact with fixes, and much more - all designed with a great developer experience in mind.
- Multiple Scanner Support: Scan with BLAST (our AI-powered scanner), and upload reports from Semgrep, Snyk, Checkmarx, CodeQL, Fortify, and Coverity.
- Issue Management: List, inspect, and manage security findings.
- Fix Integration: View and apply AI-generated fixes for vulnerabilities right from your terminal.
- Flexible Output: Support for both human-readable and JSON output formats for easier CI integrations.
- CI/CD Integration: Fail builds based on severity levels or custom blocking rules.
- Scan Management: Track scan progress and results across your projects.
Before using the Corgea CLI, ensure you have:
- Corgea account: An active Corgea account.
- API Token: A valid API token from your Corgea dashboard.
npm install -g @corgea/cliThe npm package bundles native binaries for supported platforms and selects the correct binary for your OS and architecture at runtime.
To install the Corgea CLI tool, you can use Python's package installer, pip. Open your terminal and run the following command:
pip install corgea-cliThis command fetches the Corgea CLI package from PyPI (Python Package Index) and installs it on your system. You can find more details about the package on its PyPI page: https://pypi.org/project/corgea-cli/.
To install the Corgea CLI tool using Homebrew, first add the Corgea tap and then install the CLI:
brew tap Corgea/cli
brew install corgea-cliDownload the latest binary from https://github.com/Corgea/cli/releases/download/v.1.6.3/corgea_windows_x64.zip
Move the executable to a directory in your PATH.curl -L https://github.com/Corgea/cli/releases/download/v.1.6.3/corgea_linux_x86_64.zip -o corgea.zip && unzip corgea.zip
chmod +x corgea
sudo mv corgea /usr/local/binTo authenticate with the CLI, use the following command. This will redirect you to the web application to authorize the CLI:
corgea loginHint: Your company scope is the Corgea subdomain, for example: https://your-company.corgea.app
corgea login --scope your-companyFor automated pipelines and CI/CD environments, use API key authentication which provides a more reliable, non-interactive authentication method:
corgea login YOUR_API_TOKENYou can also set the API token in an environment variable:
```bash MacOS/Unix export CORGEA_API_TOKEN="your-api-token-here" corgea login ```$env:CORGEA_API_TOKEN="your-api-token-here"
corgea loginCustomers using a single-tenant instance need to configure the CLI to point to their specific instance using the --url option:
corgea login --url https://<<Your Instance>>.corgea.app YOUR_API_TOKENYou can also set the URL in an environment variable and the CLI will automatically detect it:
```bash MacOS/Unix export CORGEA_URL="https://<>.corgea.app" export CORGEA_API_TOKEN="your-api-token-here" corgea login ```$env:CORGEA_URL="https://<<Your Instance>>.corgea.app"
$env:CORGEA_API_TOKEN="your-api-token-here"
corgea loginUpload a scan report to Corgea via STDIN or a file (JSON, SARIF, FPR, or Coverity XML):
corgea upload path/to/report.jsonTo control the project name shown in Corgea for uploaded reports, use --project-name. If omitted, the CLI defaults to the git repository name when available, and falls back to the current directory name.
corgea upload path/to/report.json --project-name my-serviceTo scan your current directory using the default BLAST scanner:
corgea scanTo specify a different scanner, such as Semgrep:
corgea scan semgrepYou can also set the CLI to fail on a specific severity level:
corgea scan --fail-on CROr fail based on blocking rules defined in the web app:
corgea scan --failBy default, the scan command scans the entire project. However, if you only want to scan your changes before committing, you can use the --only-uncommitted option.
corgea scan --only-uncommittedYou can also target specific files or subsets of your project (BLAST scans only) with the --target option. This accepts comma-separated values and supports file paths, directory paths, glob patterns, git selectors, or stdin.
Examples:
corgea scan --target src/,pyproject.tomlcorgea scan --target "src/**/*.py"corgea scan --target git:diff=origin/main...HEADcorgea scan --target git:staged,git:modified,git:untrackedcorgea scan --target -git ls-files -z | corgea scan --target -0Note: --only-uncommitted and --target cannot be used together.
To control the project name shown in Corgea, use --project-name. If omitted, the CLI defaults to the git repository name when available, and falls back to the current directory name.
corgea scan --project-name my-serviceThe regular BLAST scan includes multiple scans:
- Blast Base AI Scan
- PolicyIQ Scan
- Malicious Code Detection Scan
- Secrets Detection Scan
- Personally identifiable information (PII) Detection Scan
By default, all these scans run (if they are enabled for your company account plan). However, the CLI provides the flexibility to run a scan targeting one or more types with the --scan-type option.
corgea scan --scan-type secretsor multipe types
corgea scan --scan-type blast,policy,secrets,piiTo target specific policies with a policyIQ scan, use the --policy option. This allows you to focus on one or more policies by passing their ID(s).
corgea scan --scan-type policy --policy 1The Corgea CLI allows you to export scan results to a file, which is particularly useful when running the tool within a CI pipeline. You can do this using the --out-format and --out-file options.
corgea scan --out-format=json --out-file=report.jsonThe CLI currently supports html, json and SARIF as output formats.
corgea scan --out-format=html --out-file=report.htmlcorgea scan --out-format=sarif --out-file=report.sarifTo wait for the latest in-progress scan:
corgea waitOr specify a scan ID to wait for:
corgea wait --scan-id SCAN_IDTo list all scans for a current directory (paginated by default):
corgea lsTo list issues for a specific scan:
corgea ls --issues --scan-id SCAN_IDYou can also control the pagination:
corgea list --page 1 --page-size 10Note: The --json option is available for commands like list and inspect to output results in JSON format, which is useful for integrations and automation.
corgea list --page 1 --page-size 10 --jsonTo list SCA for a project or a scan use --sca-issues or '-c' shorthand
corgea list --sca-issues --page 1 --page-size 10 --jsonor
corgea list --c --page 1 --page-size 10 --jsonTo inspect a specific scan:
corgea inspect SCAN_IDTo inspect issues with detailed output:
corgea inspect --issue --json --summary ISSUE_IDFor fix explanations or diffs:
corgea inspect --issue --fix ISSUE_ID
corgea inspect --issue --diff ISSUE_IDTo ensure code quality and security, you can integrate Corgea CLI with your Git workflow using pre-commit hooks. This feature allows you to scan your code changes before committing or pushing them. To set up the pre-commit hook, simply run
corgea setup-hooksWhen setting up the pre-commit hook, you will be prompted to enter your preferred configurations for the scan. To quickly set it up with the default settings, which include scan types for PII and secrets, and fail levels set to CR, HI, ME, and LO, you can run
corgea setup-hooks --default-configTo bypass the pre-commit check when committing, use the following command:
git commit --no-verifyFor more options and commands, use:
corgea --helpFor full release notes, please visit our GitHub releases page.