Overview
ZeroPath CLI provides command-line access to ZeroPath’s AI-powered security scanning platform. Upload and scan your code directly from your terminal with support for multiple output formats and CI/CD integration.Get the CLI
Download the latest release from our GitHub repository
What ZeroPath CLI Detects
The CLI scans for a comprehensive range of security vulnerabilities:- Authentication and authorization vulnerabilities
- Application logic flaws
- Dependency issues
- Security misconfigurations
- Command injection vulnerabilities
- File inclusion and path traversal attacks
- Secrets and hardcoded credentials
Quick Start
Core Commands
Authentication
Local Directory Scanning
Repository Scanning
On-Demand Code Scans Beta
Usescan-code to submit a diff, file, file set, or snippet for asynchronous
security review without starting a full repository scan.
scan-code uses your Git remote URL to automatically use linked
repository context when exactly one accessible ZeroPath repository matches. If
there is no match, it runs as a standalone scan.
See On-Demand Code Scans Beta for request
formats, target modes, limits, and API examples.
Container Scanning
Use thecontainer commands to scan built container images for OS-package and
bundled-dependency vulnerabilities. Images can be pulled by registry reference —
including from private registries with credentials — or uploaded as a local
docker save archive. Findings are surfaced under the Supply Chain section with
per-layer attribution and base-image upgrade recommendations.
docker save and scan that archive directly with --file. Give it a label with
--name so it is identifiable in results.
Uploaded archives are scanned once and cannot be monitored: there is no registry
reference to re-pull on a schedule, so
container monitor rejects --file. Use a
registry image reference for recurring re-scans.container test waits for the scan to finish and prints a
human-readable report. The following flags control that behavior:
--json— print the raw response payload as JSON instead of the formatted report.--wait/--no-wait— wait for the scan to complete (the default). Pass--no-waitto submit the scan and return immediately with the container image ID.--timeout <seconds>— maximum seconds to wait for completion before exiting with an error. Must be a positive number.
container monitor also accepts --json to print the raw
response payload.
CI/CD Integration
The CLI is designed for seamless CI/CD integration — it exits with code 1 when security issues are found or when an error occurs during scanning:Scan Timeout
Local directory scans have a maximum polling timeout of approximately 50 minutes. If the scan does not complete within this window, the CLI exits with an error. This prevents CI/CD pipelines from hanging indefinitely on long-running scans.Output Formats
ZeroPath CLI supports multiple output formats for different use cases:- SARIF: Standard format for static analysis results (local scans)
- Console: Human-readable formatted output for terminal viewing
Getting API Credentials
To use the CLI, you’ll need API credentials from your ZeroPath account:- Sign in to ZeroPath Dashboard
- Navigate to API Settings
- Generate new API credentials (Client ID and Client Secret)
- Use these credentials with
zeropath auth
Next Steps
- Installation Guide - Set up the CLI on your system
- GitHub Repository - Source code and releases
- API Reference - Build custom integrations