Skip to main content

Starting a DAST Scan from CLI

To see help, execute: java -jar clt.jar -help

This option requires Java 11 or later preinstalled.

To create a DAST project from CLI, execute the command:

java -jar clt.jar -rest [rest URL] -token [token] dastProjectCreate [options]
  • -rest (API address).
  • -token (API authorization token, which you can obtain from the User Profile section of the user interface (see Account))

Arguments (options):

Mandatory arguments:

  • -name DAST project name.

To start a scan from CLI, execute the command:

java -jar clt.jar -rest [rest URL] -token [token] dastScanCreate [options]
  • -rest (API address)
  • -token (API authorization token, which you can obtain from the User Profile section of the user interface (see Account))

Options:

Mandatory arguments:

  • -project project ID.
  • -url URL to attack.

Optional arguments:

  • -ajax use AJAX Spider.
  • -ajaxTimeout AJAX Spider timeout in minutes (default: 5)
  • -auth authorization method: BASIC, TOKEN, HEADERS, FORM.
  • -authFormData authorization form. Request post data.
  • -authToken authorization token.
  • -excludeUrl exclude URLs from scan, must be comma separated.
  • -headers headers authentication.
  • -loginFormName login form name for authorization form.
  • -openapiPath path to OpenAPI definition file.
  • -openapiUrl OpenAPI definition URL.
  • -password password for basic authentication.
  • -passwordFormName password form name for authorization form.
  • -priority priority of scan execution.
  • -regexLoggedIn regex pattern in Logged In response.
  • -regexLoggedOut regex pattern in Logged Out response.
  • -reuseAuth reuse the data for subsequent analyses.
  • -scanMode scan mode (aggresive, standard, active attack).
  • -urlLoginPage login page URL for authorization form.
  • -urlLogoutPage logout page URL for authorization form.
  • -username username for basic authentication.

You can obtain project UUID in the project side menu. To copy the project UUID to the buffer, click on the icon.

Example:

java -jar clt.jar -rest [rest_url] -token [token] dastScanCreate -url URL -project PROJECT

To check the scan status, execute the command:

java -jar clt.jar -rest [rest URL] -token [token] dastScanInfo [options]
  • -rest (API address)
  • -token (API authorization token, which you can obtain from the User Profile section of the user interface (see Account))

Options:

  • -scan (DAST scan UUID)

You can obtain scan UUID in the scan information. To copy the scan UUID to the buffer, click on the icon.

Example:

java -jar clt.jar -rest [rest_url] -token [token] dastScanInfo -scan SCAN

To export a PDF report, execute the command:

java -jar clt.jar -rest [rest URL] -token [token] dastExport [options]

To export a CSV report, execute the command:

java -jar clt.jar -rest [rest URL] -token [token] dastExport [options]
'-general.format' CSV
  • -rest (API address)
  • -token (API authorization token, which you can obtain from the User Profile section of the user interface (see Account))

Options:

Arguments are included in the report if they take true. Other arguments will take false if not specified.

Mandatory arguments:

  • -path (path to the directory where the report should be placed)
  • -project (project's identifier to export)

You can obtain project UUID in the project side menu. To copy project UUID, click on the icon.

Optional arguments:

  • -scans (identifiers of scans to be included into report. Should be comma separated)
  • -filter.critical (include critical issues or not (included by default))
  • -filter.info (include info issues or not)
  • -filter.low (include low level issues or not)
  • -filter.medium (include medium level issues or not (included by default))
  • -filter.tasks (include issues with task manager task or not (included by default))
  • -general.contents (include contents or not (included by default))
  • -general.included (include report settings or not (included by default))
  • -general.locale (report locale (default: en))
  • -general.logo use custom logo. Specify path to the logo.
  • -general.statuses vulnerability statuses.
  • -languages (include languages. Languages should be separated by a comma, without spaces. Possible values: ABAP, APEX, CS, CCPP, COBOL, CONFIG, DART, DELPHI, GO, GROOVY, HTML5, JAVA, JAVASCRIPT, KOTLIN, LOTUSSCRIPT, OBJC, PASCAL, PHP, PLSQL, PYTHON, PERL, RUBY, RUST, SCALA, SOLIDITY, SWIFT, TSQL, TYPESCRIPT, VBNET, VBA, VBSCRIPT, VB, VYPER, 1C ONES.)
  • -projectInfo.scanHistory (number of scans for which history will be included, default: 0):
    • -1 — don't include scan history at all
    • 0 — include all scan history
    • >0 — specified amount of scans in history
  • -projectInfo.securityDynamic (include security level dynamics or not (default: true))
  • -projectInfo.vulnerabilityDynamic (include security level dynamics or not (default: true))
  • -results.included the Detailed Results section included or not (included by default). When included in the report, you need to specify:
    • -results.action include vulnerability actions (included by default).
    • -results.comment (include comments or not (included by default))
    • -results.entryNum (number of vulnerability entries, default: 0):
      • -1 — don't include entries at all
      • 0 — include all entries
      • >0 — specified number of entries
    • -results.request include request/response headers and bodies (included by default).
    • -results.statuses include issues with statuses. Specify statuses as list.
    • -results.taskInfo (include JIRA info or not (included by default))
  • -scanInfo.included settings included or not (included by default). When included in the report, you need to specify:
    • -scanInfo.foundChart (include found vulnerabilities chart or not (included by default))
    • -scanInfo.settings (include scan settings or not (included by default))
    • -scanInfo.typeChart (include vulnerability type chart or not (included by default))
  • -table.included vulnerability list included or not (included by default). When included in the report, you need to specify:
    • -table.entryNum (number of vulnerability entries, default: 0):
      • -1 — don't include entries at all
      • 0 — include all entries
      • >0 — specified number of entries
    • -table.statuses include issues with statuses. Need to specify statuses as list.
  • -comparison.included comparison settings included or not. When included in the report, you need to specify:
    • -comparison.scan (scan UUID (required))
    • -comparison.fixed (include fixed issues or not)
    • -comparison.newIssue (include new issues or not (included by default))
    • -comparison.saved (include remaining issues or not (included by default))
    • -comparison.entryNum (number of vulnerability entries, default: 0):
      • -1 — don't include entries at all
      • 0 — include all entries
      • >0 — specified number of entries
    • -comparison.scanSettings (include scan settings (included by default))

Example:

java -jar clt.jar -rest http://<installation_address>/app/api/v1
-token kljkjljlkjljklkjk dastExport -scan ec59395b-4372-47b1-95a2-4d48b044ff0b
-path C:\test -default

Please notice:

The Scan Information section will not be included into the report, unless you specify the scan UUID value (argument -scans). You can obtain scan UUID in the scan information. To copy the scan UUID to the buffer, click on the icon.

The functionality described above is also available via REST API.