> ## Documentation Index
> Fetch the complete documentation index at: https://docs.corgea.app/llms.txt
> Use this file to discover all available pages before exploring further.

# CLI

> Supercharge your security from the command line

## Introduction

Corgea CLI is a powerful developer tool that helps you find and fix security vulnerabilities in your code. Using our AI-powered scanner (BLAST) and platform, Corgea identifies complex security issues like business logic flaws, authentication vulnerabilities, and other hard-to-find bugs. The CLI provides commands to scan your codebase, inspect findings, interact with fixes, and much more - all designed with a great developer experience in mind.

<Tip>
  **Power up your AI coding agent.** The Corgea CLI also serves as the foundation for our [Agentic Integrations](/agentic_integrations) — install the Corgea Agent Skill and let your AI agent (Cursor, Claude Code, Copilot, and more) scan, triage, and fix vulnerabilities on your behalf.
</Tip>

## Features

* **Multiple Scanner Support**: Scan with BLAST (our AI-powered scanner), and upload reports from Semgrep, Snyk, Checkmarx, CodeQL, Fortify, and Coverity.
* **Issue Management**: List, inspect, and manage security findings.
* **Fix Integration**: View and apply AI-generated fixes for vulnerabilities right from your terminal.
* **Flexible Output**: Support for both human-readable and JSON output formats for easier CI integrations.
* **CI/CD Integration**: Fail builds based on severity levels or custom blocking rules.
* **Scan Management**: Track scan progress and results across your projects.

## Prerequisites

Before using the Corgea CLI, ensure you have:

* **Corgea account**: An active Corgea account.
* **Token for authentication**: A valid Corgea API token or JWT access token.

## Installation Guide

### Install with npm

```bash theme={null}
npm install -g @corgea/cli
```

The npm package bundles native binaries for supported platforms and selects the correct binary for your OS and architecture at runtime.

### Install with PIP

To install the Corgea CLI tool, you can use Python's package installer, pip. Open your terminal and run the following command:

```bash theme={null}
pip install corgea-cli
```

This command fetches the Corgea CLI package from PyPI (Python Package Index) and installs it on your system. You can find more details about the package on its PyPI page: [https://pypi.org/project/corgea-cli/](https://pypi.org/project/corgea-cli/).

### Install with Homebrew

To install the Corgea CLI tool using Homebrew, first add the Corgea tap and then install the CLI:

<CodeGroup>
  ```bash MacOS theme={null}
  brew tap Corgea/cli
  brew install corgea-cli
  ```
</CodeGroup>

### Install Manually

<CodeGroup>
  ```bash MacOS theme={null}
  curl -L https://github.com/Corgea/cli/releases/download/v.1.6.3/corgea_macos_aarch64.zip -o corgea.zip && unzip corgea.zip
  chmod +x corgea
  sudo mv corgea /usr/local/bin
  ```

  ```bash Windows theme={null}
  Download the latest binary from https://github.com/Corgea/cli/releases/download/v.1.6.3/corgea_windows_x64.zip

  Move the executable to a directory in your PATH.
  ```

  ```bash Linux theme={null}
  curl -L https://github.com/Corgea/cli/releases/download/v.1.6.3/corgea_linux_x86_64.zip -o corgea.zip && unzip corgea.zip
  chmod +x corgea
  sudo mv corgea /usr/local/bin
  ```
</CodeGroup>

## Authentication

### Login with your cli

To authenticate with the CLI, use the following command. This will redirect you to the web application to authorize the CLI:

```bash theme={null}
corgea login
```

#### Login with custom scope (for customers with Single-Tenant Instance)

**Hint:** Your company scope is the Corgea subdomain, for example: `https://your-company.corgea.app`

```bash theme={null}
corgea login --scope your-company
```

#### Login with token (API token or JWT)

For automated pipelines and CI/CD environments, use token authentication for a reliable, non-interactive login flow. You can pass either a Corgea API token or a JWT access token:

```bash theme={null}
corgea login YOUR_TOKEN
```

You can also set the token in an environment variable:

<CodeGroup>
  ```bash MacOS/Unix theme={null}
  export CORGEA_TOKEN="your-token-here"
  corgea login
  ```

  ```bash Windows theme={null}
  $env:CORGEA_TOKEN="your-token-here"
  corgea login
  ```
</CodeGroup>

#### Point To A Single-Tenant Instance

Customers using a single-tenant instance need to configure the CLI to point to their specific instance using the `--url` option:

```bash theme={null}
corgea login --url https://<<Your Instance>>.corgea.app YOUR_TOKEN
```

You can also set the URL in an environment variable and the CLI will automatically detect it:

<CodeGroup>
  ```bash MacOS/Unix theme={null}
  export CORGEA_URL="https://<<Your Instance>>.corgea.app"
  export CORGEA_TOKEN="your-token-here"
  corgea login
  ```

  ```bash Windows theme={null}
  $env:CORGEA_URL="https://<<Your Instance>>.corgea.app"
  $env:CORGEA_TOKEN="your-token-here"
  corgea login
  ```
</CodeGroup>

## Usage

### Commands and Options

#### Upload a Scan Report

Upload a scan report to Corgea via STDIN or a file (JSON, SARIF, FPR, or Coverity XML):

```bash theme={null}
corgea upload path/to/report.json
```

To control the project name shown in Corgea for uploaded reports, use `--project-name`. If omitted, the CLI defaults to the git repository name when available, and falls back to the current directory name.

```bash theme={null}
corgea upload path/to/report.json --project-name my-service
```

#### Scan Your Codebase

To scan your current directory using the default BLAST scanner:

```bash theme={null}
corgea scan
```

To specify a different scanner, such as Semgrep:

```bash theme={null}
corgea scan semgrep
```

You can also set the CLI to fail on a specific severity level:

```bash theme={null}
corgea scan --fail-on CR
```

Or fail based on blocking rules defined in the web app:

```bash theme={null}
corgea scan --fail
```

By default, the scan command scans the entire project. However, if you only want to scan your changes before committing, you can use the --only-uncommitted option.

```bash theme={null}
corgea scan --only-uncommitted
```

You can also target specific files or subsets of your project (BLAST scans only) with the `--target` option. This accepts comma-separated values and supports file paths, directory paths, glob patterns, git selectors, or stdin.

Examples:

```bash theme={null}
corgea scan --target src/,pyproject.toml
```

```bash theme={null}
corgea scan --target "src/**/*.py"
```

```bash theme={null}
corgea scan --target git:diff=origin/main...HEAD
```

```bash theme={null}
corgea scan --target git:staged,git:modified,git:untracked
```

```bash theme={null}
corgea scan --target -
```

```bash theme={null}
git ls-files -z | corgea scan --target -0
```

Note: `--only-uncommitted` and `--target` cannot be used together.

To control the project name shown in Corgea, use `--project-name`. If omitted, the CLI defaults to the git repository name when available, and falls back to the current directory name.

```bash theme={null}
corgea scan --project-name my-service
```

The regular BLAST scan includes multiple scans:

* Blast Base AI Scan
* PolicyIQ Scan
* Malicious Code Detection Scan
* Secrets Detection Scan
* Personally identifiable information (PII) Detection Scan

By default, all these scans run (if they are enabled for your company account plan). However, the CLI provides the flexibility to run a scan targeting one or more types with the --scan-type option.

```bash theme={null}
corgea scan --scan-type secrets
```

or multipe types

```bash theme={null}
corgea scan --scan-type blast,policy,secrets,pii
```

To target specific policies with a policyIQ scan, use the --policy option. This allows you to focus on one or more policies by passing their ID(s).

```bash theme={null}
corgea scan --scan-type policy --policy 1
```

#### Export Scan Report

The Corgea CLI allows you to export scan results to a file, which is particularly useful when running the tool within a CI pipeline. You can do this using the --out-format and --out-file options.

```bash theme={null}
corgea scan --out-format=json --out-file=report.json
```

The CLI currently supports html, json and SARIF as output formats.

```bash theme={null}
corgea scan --out-format=html --out-file=report.html
```

```bash theme={null}
corgea scan --out-format=sarif --out-file=report.sarif
```

#### Wait for a Scan

To wait for the latest in-progress scan:

```bash theme={null}
corgea wait
```

Or specify a scan ID to wait for:

```bash theme={null}
corgea wait --scan-id SCAN_ID
```

#### List Scans, Issues or SCA Issues

To list all scans for a current directory (paginated by default):

```bash theme={null}
corgea ls
```

To list issues for a specific scan:

```bash theme={null}
corgea ls --issues --scan-id SCAN_ID
```

You can also control the pagination:

```bash theme={null}
corgea list --page 1 --page-size 10
```

Note: The `--json` option is available for commands like `list` and `inspect` to output results in JSON format, which is useful for integrations and automation.

```bash theme={null}
corgea list --page 1 --page-size 10 --json
```

To list SCA for a project or a scan use `--sca-issues` or '-c' shorthand

```bash theme={null}
corgea list --sca-issues --page 1 --page-size 10 --json
```

or

```bash theme={null}
corgea list --c --page 1 --page-size 10 --json
```

#### Inspect a Scan or Issue

To inspect a specific scan:

```bash theme={null}
corgea inspect SCAN_ID
```

To inspect issues with detailed output:

```bash theme={null}
corgea inspect --issue --json --summary ISSUE_ID
```

For fix explanations or diffs:

```bash theme={null}
corgea inspect --issue --fix ISSUE_ID
corgea inspect --issue --diff ISSUE_ID
```

### Integrating with GIT Hooks

To ensure code quality and security, you can integrate Corgea CLI with your Git workflow using pre-commit hooks. This feature allows you to scan your code changes before committing or pushing them. To set up the pre-commit hook, simply run

```bash theme={null}
corgea setup-hooks
```

When setting up the pre-commit hook, you will be prompted to enter your preferred configurations for the scan. To quickly set it up with the default settings, which include scan types for PII and secrets, and fail levels set to CR, HI, ME, and LO, you can run

```bash theme={null}
corgea setup-hooks --default-config
```

To bypass the pre-commit check when committing, use the following command:

```bash theme={null}
git commit --no-verify
```

### Additional Options

For more options and commands, use:

```bash theme={null}
corgea --help
```

## Release Notes

For full release notes, please visit our [GitHub releases page](https://github.com/corgea/cli/releases).