Skip to main content

Overview

ZeroPath CLI provides command-line access to ZeroPath’s AI-powered security scanning platform. Upload and scan your code directly from your terminal with support for multiple output formats and CI/CD integration.

Get the CLI

Download the latest release from our GitHub repository

What ZeroPath CLI Detects

The CLI scans for a comprehensive range of security vulnerabilities:
  • Authentication and authorization vulnerabilities
  • Application logic flaws
  • Dependency issues
  • Security misconfigurations
  • Command injection vulnerabilities
  • File inclusion and path traversal attacks
  • Secrets and hardcoded credentials

Quick Start

# Install CLI (see installation guide)
# Authenticate with your API credentials
zeropath auth <clientId> <clientSecret>

# Scan current directory
zeropath scan . output.sarif

# Scan by repository ID
zeropath scan --repository-id <repositoryId>

# Scan by repository URL
zeropath scan --repository-url https://github.com/owner/repo --vcs github

Core Commands

Authentication

# Authenticate with API credentials
zeropath auth <clientId> <clientSecret>

Local Directory Scanning

# Basic scan
zeropath scan <directory> <outputFile.sarif>

# Example
zeropath scan ./my-project results.sarif

Repository Scanning

# Scan by repository ID
zeropath scan --repository-id <repositoryId>

# Scan by repository URL
zeropath scan --repository-url https://github.com/owner/repo --vcs github

On-Demand Code Scans Beta

Use scan-code to submit a diff, file, file set, or snippet for asynchronous security review without starting a full repository scan.
# Scan the current Git working-tree diff
zeropath scan-code --diff

# Scan staged changes
zeropath scan-code --staged

# Scan one file
zeropath scan-code --file src/api.ts

# Force standalone mode when you do not want linked repository context
zeropath scan-code --diff --standalone
By default, scan-code uses your Git remote URL to automatically use linked repository context when exactly one accessible ZeroPath repository matches. If there is no match, it runs as a standalone scan.
On-Demand Code Scans are currently in beta. Behavior, limits, and response fields may change before general availability.
See On-Demand Code Scans Beta for request formats, target modes, limits, and API examples.

Container Scanning

Use the container commands to scan built container images for OS-package and bundled-dependency vulnerabilities. Images can be pulled by registry reference — including from private registries with credentials — or uploaded as a local docker save archive. Findings are surfaced under the Supply Chain section with per-layer attribution and base-image upgrade recommendations.
# One-shot scan of a built image
zeropath container test <image>

# Example
zeropath container test registry.example.com/app:1.4.2
To scan an image in a private registry, pass registry credentials. ZeroPath authenticates with them when pulling the image; tokens are transmitted over TLS and stored encrypted.
# Scan an image from a private registry
zeropath container test registry.example.com/app:1.4.2 \
  --registry-username <username> \
  --registry-token <token>
For air-gapped images that cannot be pulled, export the image to a tarball with docker save and scan that archive directly with --file. Give it a label with --name so it is identifiable in results.
# Export the built image, then scan the archive
docker save -o image.tar registry.example.com/app:1.4.2
zeropath container test --file image.tar --name app-1.4.2
Uploaded archives are scanned once and cannot be monitored: there is no registry reference to re-pull on a schedule, so container monitor rejects --file. Use a registry image reference for recurring re-scans.
By default, container test waits for the scan to finish and prints a human-readable report. The following flags control that behavior:
  • --json — print the raw response payload as JSON instead of the formatted report.
  • --wait / --no-wait — wait for the scan to complete (the default). Pass --no-wait to submit the scan and return immediately with the container image ID.
  • --timeout <seconds> — maximum seconds to wait for completion before exiting with an error. Must be a positive number.
# Submit without waiting, emitting JSON for scripting
zeropath container test registry.example.com/app:1.4.2 --no-wait --json

# Wait up to 10 minutes for completion
zeropath container test registry.example.com/app:1.4.2 --timeout 600
To keep watching an image after it ships, register it for recurring re-scans. Monitoring surfaces newly disclosed CVEs against an already-built image without a manual re-run. container monitor also accepts --json to print the raw response payload.
# Monitor an image on the default schedule
zeropath container monitor <image>

# Monitor an image on a custom schedule (crontab expression)
zeropath container monitor <image> --schedule "0 6 * * *"

# Example, emitting JSON
zeropath container monitor registry.example.com/app:1.4.2 --schedule "0 6 * * *" --json
See Container Scanning for the end-to-end flow, per-layer findings, private-registry and local-archive scanning, and base-image upgrade recommendations.

CI/CD Integration

The CLI is designed for seamless CI/CD integration — it exits with code 1 when security issues are found or when an error occurs during scanning:
# Scan a repository (exits 1 if issues found)
zeropath scan --repository-id <repositoryId>

# Generate SARIF output (local scan only)
zeropath scan . results.sarif

Scan Timeout

Local directory scans have a maximum polling timeout of approximately 50 minutes. If the scan does not complete within this window, the CLI exits with an error. This prevents CI/CD pipelines from hanging indefinitely on long-running scans.

Output Formats

ZeroPath CLI supports multiple output formats for different use cases:
  • SARIF: Standard format for static analysis results (local scans)
  • Console: Human-readable formatted output for terminal viewing

Getting API Credentials

To use the CLI, you’ll need API credentials from your ZeroPath account:
  1. Sign in to ZeroPath Dashboard
  2. Navigate to API Settings
  3. Generate new API credentials (Client ID and Client Secret)
  4. Use these credentials with zeropath auth

Next Steps