Cortex CLI Cortex Cloud Application Security command line reference - Administrator Guide

Cortex CLI Cortex Cloud Application Security command line reference - Administrator Guide - Cortex CLOUD

Cortex Cloud Posture Management Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Posture Management

Creation date

2025-01-22

Last date published

2026-06-04

Important

The Cortex CLI Cortex Cloud Application Security only supports single occurrences of each flag. If the same flag is passed multiple times, only the last provided value will be used. For example, in the following command, only TF CloudFormation will be the scanned framework.

Example 119.

./cortexcli --api-base-url <YOUR_API_URL> --api-key <YOUR_API_KEY> --auth-id <YOUR_AUTH_ID> --framework terraform --framework "terraform cloudformation"

Command/Variable	Description
--source $CORTEX_CODE_SOURCE	The source of execution. Default source: CLI. Examples: Jenkins, GitHub Actions, CLI
--repo-id $CORTEX_CODE_REPO_ID	Required for upload mode. Identity string of the repository. Format `repo_owner/repo_name`. Note The repo-id flag must not end with `.config`, `.log` or `.ini`. `-config` is acceptable. Example 120. `--repo-id foo.config` will be blocked `--repo-id foo-config` will pass To retrieve the repository ID, under Inventory, navigate to All Assets → Repositories (under Code) → select a repository → copy the Asset ID value from the Properties section of the side card.
--branch $CORTEX_CODE_BRANCH	Required for upload mode. Path to custom CA certificate (bundle) file for corporate proxy/TLS interception environments
--directory $CORTEX_CODE_DIRECTORY	Required. The directory path to scan. Cannot be used together with `--file`
--file $CORTEX_CODE_FILE	The file path to scan. Cannot be used together with `--directory`. When using this option, the Cortex CLI will filter runners based on the file type provided. For example, if you specify a `.tf` file, only the Terraform and secrets frameworks will be included. You can further limit this (for example; skip secrets) by using the `--skip-framework` argument
--var-file $CORTEX_CODE_VAR_FILE	Variable files to load in addition to the default files. This feature is currently supported for both source Terraform (.tfvars files) and Helm chart scans (for providing custom values or variable overrides). Refer to https://www.terraform.io/docs/language/values/variables.html#variable-definitions-tfvars-files) for more information
--framework $CORTEX_CODE_FRAMEWORK	Filter to scan specific frameworks. Example: `--framework arm`. Syntax: Use a single flag with comma-separated values for multiple frameworks. Both quoted (`"arm,ansible"`) and unquoted (`arm,ansible`) formats are supported. Example: `--framework arm,ansible`. Constraint: Do not use multiple --framework flags: `--framework terraform --framework sca_package`. Environment variables: `export CORTEX_CODE_FRAMEWORK=arm,ansible`. Supported frameworks: `ARM`, `ANSIBLE`, `BICEP`, `CLOUDFORMATION`, `DOCKER`, `DOCKERFILE`, `HELM`, `KUBERNETES`, `KUSTOMIZE`, `OPENAPI`, `SCA`, `SECRETS`, `SERVERLESS`, `TERRAFORM`, `TERRAFORMJSON`, `TERRAFORMPLAN`
--skip-framework $CORTEX_CODE_SKIP_FRAMEWORK	Skip specific frameworks. Example: `--skip-framework terraform`. Syntax: Use a single flag with comma-separated values for multiple frameworks. Both quoted (`"arm,ansible"`) and unquoted (`arm,ansible`) formats are supported. Example: `--skip-framework terraform, sca_package`. Constraint: Do not use multiple skip --framework flags: `--skip-framework terraform --skip-framework sca_package`. Environment variables: `export CORTEX_CODE_SKIP_FRAMEWORK="tf,sca"`
--ca-certificate $CORTEX_CODE_CA_CERTIFICATE	See common flags for more information
--no-cert-verify $CORTEX_CODE_NO_CERT_VERIFY / $NO_CERT_VERIFY	This flag disables TLS/SSL certificate verification (default: false). Skips TLS certificate verification when connecting to the API. Not recommended for production. Use only in test or development environments, as this reduces connection security
--summary-position $CORTEX_CODE_SUMMARY_POSITION	Sets the position for displaying the summary information relative to the findings. Values: `top`, `bottom`
--upload-mode $CORTEX_UPLOAD_MODE	Upload mode determines the method or mode used to upload data. See common flags for more information
--external-modules-download-path $CORTEX_CODE_EXTERNAL_MODULES_DOWNLOAD_PATH	Specifies the directory to download external modules to. Defaults to `.external_modules`
--output $CORTEX_CODE_OUTPUT	Output format for reporting. Supported formats: cli, json, spdx, junitxml, sarif, cyclonedx, cyclonedx_json
--output-file-path $CORTEX_CODE_OUTPUT_FILE_PATH	Specifies the output path for the scan result file
--deep-analysis $CORTEX_CODE_DEEP_ANALYSIS	Enables or disables deep analysis of the Terraform plan and related files
--repo-root-for-plan-enrichment $CORTEX_CODE_REPO_ROOT_FOR_PLAN_ENRICHMENT	Enriches Terraform plan findings by mapping them to their original `.tf` files
--skip-path $CORTEX_CODE_SKIP_PATH	Specifies a path (file or directory) that should be skipped during the scanning process. This option is useful for excluding specific files or directories that are not relevant to the scanning analysis, increasing the efficiency and accuracy of scan results
--create-repo-if-missing &CORTEX_CODE_CREATE_REPO_IF_MISSING	Determines whether the system should create a repository if it is missing. This option allows users to automate the creation of repositories as needed and ensure that all required repositories are available for scanning. For example, when running automated scans or integrating with version control systems, enabling `--create-repo-if-missing` can help maintain consistency and prevent disruptions due to missing repositories
--compact $CORTEX_CODE_COMPACT	Do not display code blocks in the output
--no-fail-on-crash $CORTEX_NO_FAIL_ON_CRASH	See common flags for a description
--var-file $CORTEX_CODE_VAR_FILE	Variable files to load in addition to the default files, Currently only supported for source Terraform (.tf file) and Helm chart scans
--validate-secret CCORTEX_APPSEC_VALIDATE_SECRETS	Validate detected secrets against their respective services to confirm they are active. By default, this feature is disabled. Set `CORTEX_APPSEC_VALIDATE_SECRETS = true` to enable it
--timeout	Sets the maximum time the Cortex CLI will wait for triggered local scan processes to complete. Default value: 15 minutes. Syntax: To specify a duration: Use a numeric value followed by a unit (for example `--timeout 10m`) Default unit: Numeric values entered without a unit are interpreted as seconds. For example, `30` is equal to 30 seconds. Supported units: Milliseconds, seconds, minutes and hours
--start-commit	Starting commit hash for git history scanning (Git Hook flag)
--commit-list	Comma-separated list of commit hashes to scan (Git Hook flag)
--hook-event	Git hook event type - pre-commit (Git Hook flag)
--help	See common flags for a description

Command/Variable

Description

--source

$CORTEX_CODE_SOURCE

The source of execution. Default source: CLI. Examples: Jenkins, GitHub Actions, CLI

--repo-id

$CORTEX_CODE_REPO_ID

Required for upload mode.

Identity string of the repository. Format repo_owner/repo_name.

Note

The repo-id flag must not end with .config, .log or .ini. -config is acceptable.

Example 120.

--repo-id foo.config will be blocked
--repo-id foo-config will pass

To retrieve the repository ID, under Inventory, navigate to All Assets → Repositories (under Code) → select a repository → copy the Asset ID value from the Properties section of the side card.

--branch

$CORTEX_CODE_BRANCH

Required for upload mode.

Path to custom CA certificate (bundle) file for corporate proxy/TLS interception environments

--directory

$CORTEX_CODE_DIRECTORY

Required.

The directory path to scan. Cannot be used together with --file

--file

$CORTEX_CODE_FILE

The file path to scan. Cannot be used together with --directory. When using this option, the Cortex CLI will filter runners based on the file type provided. For example, if you specify a .tf file, only the Terraform and secrets frameworks will be included. You can further limit this (for example; skip secrets) by using the --skip-framework argument

--var-file

$CORTEX_CODE_VAR_FILE

Variable files to load in addition to the default files. This feature is currently supported for both source Terraform (.tfvars files) and Helm chart scans (for providing custom values or variable overrides). Refer to https://www.terraform.io/docs/language/values/variables.html#variable-definitions-tfvars-files) for more information

--framework

$CORTEX_CODE_FRAMEWORK

Filter to scan specific frameworks. Example: --framework arm.

Syntax: Use a single flag with comma-separated values for multiple frameworks. Both quoted ("arm,ansible") and unquoted (arm,ansible) formats are supported. Example: --framework arm,ansible.

Constraint: Do not use multiple --framework flags: --framework terraform --framework sca_package.

Environment variables: export CORTEX_CODE_FRAMEWORK=arm,ansible.

Supported frameworks: ARM, ANSIBLE, BICEP, CLOUDFORMATION, DOCKER, DOCKERFILE, HELM, KUBERNETES, KUSTOMIZE, OPENAPI, SCA, SECRETS, SERVERLESS, TERRAFORM, TERRAFORMJSON, TERRAFORMPLAN

--skip-framework

$CORTEX_CODE_SKIP_FRAMEWORK

Skip specific frameworks. Example: --skip-framework terraform.

Syntax: Use a single flag with comma-separated values for multiple frameworks. Both quoted ("arm,ansible") and unquoted (arm,ansible) formats are supported. Example: --skip-framework terraform, sca_package.

Constraint: Do not use multiple skip --framework flags: --skip-framework terraform --skip-framework sca_package.

Environment variables: export CORTEX_CODE_SKIP_FRAMEWORK="tf,sca"

--ca-certificate

$CORTEX_CODE_CA_CERTIFICATE

See common flags for more information

--no-cert-verify

$CORTEX_CODE_NO_CERT_VERIFY / $NO_CERT_VERIFY

This flag disables TLS/SSL certificate verification (default: false). Skips TLS certificate verification when connecting to the API. Not recommended for production. Use only in test or development environments, as this reduces connection security

--summary-position

$CORTEX_CODE_SUMMARY_POSITION

Sets the position for displaying the summary information relative to the findings. Values: top, bottom

--upload-mode

$CORTEX_UPLOAD_MODE

Upload mode determines the method or mode used to upload data. See common flags for more information

--external-modules-download-path

$CORTEX_CODE_EXTERNAL_MODULES_DOWNLOAD_PATH

Specifies the directory to download external modules to. Defaults to .external_modules

--output

$CORTEX_CODE_OUTPUT

Output format for reporting.

Supported formats: cli, json, spdx, junitxml, sarif, cyclonedx, cyclonedx_json

--output-file-path

$CORTEX_CODE_OUTPUT_FILE_PATH

Specifies the output path for the scan result file

--deep-analysis

$CORTEX_CODE_DEEP_ANALYSIS

Enables or disables deep analysis of the Terraform plan and related files

--repo-root-for-plan-enrichment

$CORTEX_CODE_REPO_ROOT_FOR_PLAN_ENRICHMENT

Enriches Terraform plan findings by mapping them to their original .tf files

--skip-path

$CORTEX_CODE_SKIP_PATH

Specifies a path (file or directory) that should be skipped during the scanning process. This option is useful for excluding specific files or directories that are not relevant to the scanning analysis, increasing the efficiency and accuracy of scan results

--create-repo-if-missing

&CORTEX_CODE_CREATE_REPO_IF_MISSING

Determines whether the system should create a repository if it is missing. This option allows users to automate the creation of repositories as needed and ensure that all required repositories are available for scanning.

For example, when running automated scans or integrating with version control systems, enabling --create-repo-if-missing can help maintain consistency and prevent disruptions due to missing repositories

--compact

$CORTEX_CODE_COMPACT

Do not display code blocks in the output

--no-fail-on-crash

$CORTEX_NO_FAIL_ON_CRASH

See common flags for a description

--var-file

$CORTEX_CODE_VAR_FILE

Variable files to load in addition to the default files, Currently only supported for source Terraform (.tf file) and Helm chart scans

--validate-secret

CCORTEX_APPSEC_VALIDATE_SECRETS

Validate detected secrets against their respective services to confirm they are active. By default, this feature is disabled. Set CORTEX_APPSEC_VALIDATE_SECRETS = true to enable it

--timeout

Sets the maximum time the Cortex CLI will wait for triggered local scan processes to complete. Default value: 15 minutes.

Syntax:

To specify a duration: Use a numeric value followed by a unit (for example --timeout 10m)
Default unit: Numeric values entered without a unit are interpreted as seconds. For example, 30 is equal to 30 seconds.
Supported units: Milliseconds, seconds, minutes and hours

--start-commit

Starting commit hash for git history scanning (Git Hook flag)

--commit-list

Comma-separated list of commit hashes to scan (Git Hook flag)

--hook-event

Git hook event type - pre-commit (Git Hook flag)

--help

See common flags for a description