This reference guide describes the command line flags used to manage the Cortex Cloud Application Security, Cloud Workload Protection (CWP), and API Security modules through the Cortex CLI. It includes common flags, which apply to all supported modules, and global flags, which are shared specifically across AppSec and CWP and must be placed before the command.
In instances where the same flag is available in both categories, its underlying functionality remains identical; however, its required placement within the command structure differs depending on how it is used.
Common flags
The following table describes CLI commands common to all supported Cortex CLI modules. These flags are typically used after the module and command.
Command | Description |
|---|---|
--api-base-url $CORTEX_API_BASE_URL | The public facing API URL. To retrieve the URL, under Settings, select → → . Required: true. |
--api-key $CORTEX_API_KEY | The API key used for authorization. Required: true. |
--api-key-id $CORTEX_API_KEY_ID | The API key ID. Required: true. |
--soft-fail $CORTEX_SOFT_FAIL | Identifies and reports errors identified during a scan but does not trigger a failing condition, allowing CI/CD pipelines to continue without disruption. Instead of failing the build, the scan returns a successful exit code of Unlike skipped or suppressed checks, soft fail errors are still fully reported. For soft fails, a failed check matches the defined severity threshold. If multiple soft fail severities are specified, the highest severity acts as the threshold. Fundamental execution errors (such as exit codes 126 or 127) are not suppressed and will still fail the build. |
--support | Enable debug logs and upload the logs to the platform. Usage: Before the module name. For example: |
--log-level | Set the logging level (INFO, WARNING, ERROR) for Stdout output |
--http-proxy [$HTTP_PROXY] | The HTTP proxy server URL to route traffic through |
--help | See description in Global flags below |
--version | Retrieves the version of the Cortex CLI currently in use |
Global flags
The following table describes global CLI flags that are common specifically to the Application Security (AppSec) and Cloud Workload Protection (CWP) modules. These flags must be placed before the command.
Command | Description |
|---|---|
--severity $CORTEX_CODE_SEVERITY | Filters scan results by severity level. Accepts one or more comma-separated values: unknown, low, medium, high, critical. Repeat the flag or use comma separation to specify multiple levels (for example, Constraint: Only effective when Important: Severity filtering is currently only by the Application Security module |
--upload-mode $CORTEX_UPLOAD_MODE | Controls whether scan results are uploaded to the Cortex Cloud platform. Accepts placement in both the global position ( Accepted values:
|
--soft-fail $CORTEX_SOFT_FAIL | See description in Common flags above |
--no-fail-on-crash $CORTEX_NO_FAIL_ON_CRASH | Prevents the CLI from returning a non-zero exit code during internal errors (such as scanner crashes or network timeouts), ensuring CI/CD pipeline continuity even if a scan fails. When to use: Enable Signal-based exit codes (126, 127, 128+) indicating the CLI itself could not execute are never suppressed and require immediate investigation. Important: The environment variable changed from $CORTEX_CODE_NO_FAIL_ON_CRASH to $CORTEX_NO_FAIL_ON_CRASH as part of the framework-level migration. Update CI/CD pipeline configurations that reference the previous variable name. |
--log | Displays the path to the log file after command execution. Use this to troubleshoot CI/CD failures or provide details for support cases. By default, logs are stored at Log rotation: Includes automatic log rotation (10 MB per file, 3 backups, 24-hour retention). |
--help | Displays usage information, available subcommands, global flags, and flag descriptions for the Cortex CLI or any specific subcommand. Run
|