Skip to content
Fendix logo
10CLI REFERENCE

Command Line Usage

Core commands and flags used by teams to run scans locally and in CI/CD.

Commands

fendix scanRun a security scan against a target
fendix initGenerate a drop-in CI workflow (.github/, GitLab, or CircleCI) + .fendix.yaml policy + .fendix-ignore for the current repo. Auto-detects CI from project root; use --ci to override (v0.6+)
fendix demoSpin up OWASP Juice Shop locally in Docker, run a sample scan, and (with --open) open the HTML report (v0.6.1+)
fendix reportRe-render saved findings in a different format (json | html | sarif | pdf)
fendix verifyRe-run a single finding by ID to confirm it (exit 0 when resolved, exit 1 when confirmed; v0.11.1 fixed inverted exit codes)
fendix versionPrint the installed Fendix version
fendix hook installInstall a pre-commit hook that runs a diff-aware scan (secrets + textscan, sub-second) on staged files and blocks the commit on a secret / HIGH+ finding. Honours core.hooksPath and refuses to clobber a foreign hook (v0.16+)
fendix hook uninstallRemove the Fendix pre-commit hook (v0.16+)
fendix hook statusReport whether the Fendix pre-commit hook is installed and active (v0.16+)
fendix plugins listShow every plugin discovered under .fendix/plugins/ and ~/.fendix/plugins/ (v0.10+)
fendix plugins install <git>Clone a plugin repo into ~/.fendix/plugins/ and validate its manifest (v0.10+)
fendix ignore listShow every .fendix-ignore rule with EXPIRED / expiring-soon / active / no-expiry status (v0.11+)
fendix ignore validateParse .fendix-ignore and report schema / date / empty-rule errors; non-zero exit for CI gating (v0.11+)
fendix ignore prune [--dry-run]Remove expired rules from .fendix-ignore and rewrite the file (v0.11+)
fendix db updateIngest an OSV advisory export JSON into a local air-gapped CVE snapshot. Use before offline scans (v0.13+)
fendix db listPrint metadata for the local CVE snapshot (timestamp, entry count, ecosystems). Use --path to specify a non-default location (v0.13+)
fendix db verifyPrint the SHA-256 of the local CVE snapshot for integrity checking. Use --path to specify a non-default location (v0.13+)
fendix jiraIdempotent Jira sync — creates one issue per finding above FENDIX_JIRA_MIN_SEVERITY (default HIGH). Safe to run repeatedly; uses fendix-id label as idempotency key (v0.13.1+)
fendix notifyPost Slack Block Kit + Teams Adaptive Card alerts for findings above FENDIX_NOTIFY_MIN_SEVERITY (default CRITICAL). Set FENDIX_SLACK_WEBHOOK_URL and/or FENDIX_TEAMS_WEBHOOK_URL (v0.13.1+)

Scan Flags

--urlTarget API base URL
--specOpenAPI/Swagger: local path or https:// URL
--codeSource code directory for white-box analysis
--authAuth header value, e.g. "Bearer token123"
--auth-typeAuth profile: bearer | apikey | apikey-query | basic | cookie (default: auto-detect)
--auth-headerCustom auth header name (default: Authorization). With --auth-type apikey-query, this is the URL query-param name (default: api_key).
--auth-user2Second user auth for IDOR checks
--profileAuth profile from ~/.fendix/profiles/
-o, --outputOutput file path (default: stdout)
-f, --formatOutput format: json | html | sarif | pdf (default: json). pdf requires no Semgrep (pure Go). html accepts --lang ar for Arabic/RTL (v0.13+)
--fail-onExit 1 if findings meet threshold: CRITICAL | HIGH | MEDIUM
--fail-on-scanner-errorExit non-zero (2) if any scanner (govulncheck/pip/npm/secrets/semgrep/textscan) ran and errored — turns a silent coverage gap into a CI failure.
--baselinePrevious findings JSON for diff — show only new issues
--save-baselineSave current findings to path for future diffs
--diffDiff-aware scan: scope the whitebox scanners to files changed vs HEAD (or --diff=‹ref› vs a ref). SCA runs only when a manifest/lockfile changed. Distinct from --baseline (which filters findings, not files) (v0.16+)
--stagedWith --diff, scope to git-staged files only — what a commit is about to introduce. The basis of the pre-commit hook (v0.16+)
--fastSecrets + textscan only, sub-second budget — pairs with --diff --staged for an on-every-commit gate. ~18ms on a 200-file monorepo (v0.16+)
--enable-activeEnable active probes — injection (SQLi, CMDi, CRLF), open-redirect, reflected XSS, in-band SSRF, host-header injection, GraphQL introspection, and HTTP method tampering (v0.18)
--allow-private-targetsAllow scanning private/loopback/link-local and cloud-metadata addresses (disables the SSRF egress guard). Auto-enabled when --url is already private.
--max-probes-per-endpointCap active payloads per endpoint when --enable-active (default: 20)
-w, --workersConcurrent HTTP workers (default: 10)
--timeoutHTTP timeout in seconds (default: 10)
--delayMilliseconds between requests (default: 100)
--ignorePath to .fendix-ignore suppression file
--wordlistCustom brute-force wordlist path; overrides built-in 117-path list
--crawl-depthRecursive HTML link crawl depth — 0 disables, 1 = home-page links (default), 2+ = deeper
--max-endpointsCap discovered endpoints after dedupe (default: 500; 0 = no cap)
--max-requestsSoft cap on total HTTP requests during the scan phase; discovery exempt (v0.5; 0 = no cap)
--max-durationWall-clock deadline as a Go duration string, e.g. 5m, 90s, 2m30s (v0.5)
--respect-robotsTreat robots.txt Disallow rules as a hard restriction across discovery (v0.5; default off)
--debug-bundleWrite a redacted diagnostic .tar.gz at the given path — auth values masked, full DEBUG slog stream + probe audit log included. For attaching to bug reports (v0.6)
--configPath to .fendix.yaml policy file (default: auto-detect .fendix.yaml in cwd; explicit path with missing file is a hard error). Precedence: cobra default < .fendix.yaml < explicit CLI flag (v0.6.1+)
--no-pluginsDisable out-of-tree plugin discovery in .fendix/plugins/ + ~/.fendix/plugins/. Use for sandboxed CI or when isolating engine behavior from third-party plugins (v0.7+)
--allow-repo-local-pluginsOpt into running repo-local plugins under ‹scan-dir›/.fendix/plugins/ (unsafe on untrusted PRs; ~/.fendix/plugins/ is always trusted).
--no-native-depsDisable the in-process native dep-CVE scanners (Go via golang.org/x/vuln, PyPI + npm via OSV.dev). The orchestrator falls back to the Python deps.py path. Useful for offline scans (no vuln-DB network access) or for debugging dedup overlap (v0.8+)
--use-pip-auditUse the pip-audit binary for Python dependency-CVE scanning instead of the native OSV.dev client (falls back to OSV.dev if pip-audit isn't on PATH).
--python-engineSpawn the Python whitebox engine for the auth / injection / deps checks. Default off as of v0.9 — secrets and Semgrep are now native Go (TASK-115/116) and the embedded Python distribution is no longer bundled. Requires a local python/ source tree (or FENDIX_ENGINE pointing at one). Cold-start cost is ~24 ms p50 with the flag set vs ~6 ms without (v0.9+)
--langHTML report language: en (default) | ar (Arabic, right-to-left). Applies to --format html only; JSON/SARIF/PDF stay English (v0.13+)
--classificationClassification banner text rendered at the top-right of every PDF page (default: INTERNAL). Empty string disables the banner. Only applies to --format pdf (v0.13+)
--offlineEnable fully air-gapped scan mode — dep-CVE checks consult the local CVE snapshot instead of api.osv.dev. Requires --offline-db or a snapshot at the default path. Use fendix db update to populate the snapshot (v0.13+)
--offline-dbPath to the local CVE snapshot to use in --offline mode (default: ~/.fendix/osv-snapshot.json). Created by fendix db update (v0.13+)
--ciCI system for fendix init: github (default) | gitlab | circleci. Auto-detects from project root when omitted. github emits .github/workflows/fendix.yml; gitlab emits .gitlab-ci.fendix.yml; circleci emits .circleci/fendix-config.yml (v0.14+)
-v, --verbosePrint all requests and raw findings

Report Flags

Re-render a saved findings JSON file to a different format without re-scanning.

--inputPath to findings JSON file (required)
-f, --formatOutput format: json | html | sarif | pdf (default: html)
-o, --outputOutput file path (default: stdout)
--langHTML report language: en | ar (Arabic/RTL) — applies to --format html only (v0.13+)
--classificationClassification banner text for PDF output (default: INTERNAL; empty string disables) (v0.13+)

Init Flags

fendix init detects the project's stack (Go, Python, Node.js, Ruby, Rust, Java/Kotlin, PHP) and any colocated OpenAPI/Swagger spec, then writes the CI workflow + .fendix.yaml (see schema reference) + .fendix-ignore. Supported CI targets (v0.14+): GitHub Actions, GitLab CI, CircleCI — auto-detected from project root, or override with --ci. Refuses to overwrite by default; pre-flight check is atomic across all three files.

--forceOverwrite existing CI workflow, .fendix.yaml, or .fendix-ignore (default: refuse and exit; pre-flight check is atomic across all three)
--printDry-run: render templates to stdout without touching disk
--ciTarget CI system: github (default) | gitlab | circleci. Auto-detected from project root; override with this flag (v0.14+)

Demo Flags

fendix demo spins up bkimminich/juice-shop:v17.1.1 in Docker on localhost:3000, runs a stock fendix scan against it, and renders an HTML report. Container is always cleaned up on exit (success or failure). Useful for first-time evaluators who want to see a real scan without pointing fendix at production.

--openOpen the rendered HTML report in your default browser when the scan finishes
--portLocal port to bind juice-shop on (default: 3000)
--outputHTML report output path (default: $TMPDIR/fendix-demo-‹unix›.html)
--imageJuice-shop Docker image reference (default: bkimminich/juice-shop:v17.1.1, pinned for reproducibility)

Hybrid scan

fendix scan \
  --url https://api.example.com \
  --spec ./openapi.yaml \
  --code ./src \
  --format html \
  --fail-on HIGH

Runs both black-box and white-box analysis and correlates the results.

Active probing

fendix scan \
  --url https://api.example.com \
  --enable-active \
  --fail-on CRITICAL \
  --save-baseline ./baseline.json

Enables active probes — SQLi/CMDi/CRLF injection plus open-redirect, reflected XSS, in-band SSRF, host-header injection, GraphQL introspection, and HTTP method tampering (v0.18). Requires explicit authorization.

PDF + Jira sync (v0.13+)

fendix scan \
  --code ./src --format pdf \
  --classification "CONFIDENTIAL" \
  --output report.pdf

export FENDIX_JIRA_URL=https://org.atlassian.net
export FENDIX_JIRA_PROJECT_KEY=SEC
export FENDIX_JIRA_EMAIL=you@example.com
export FENDIX_JIRA_API_TOKEN=<token>
fendix scan --format json --output f.json
fendix jira --findings f.json

PDF executive report with classification banner + idempotent Jira issue sync.

Air-gapped offline scan (v0.13+)

# One-time: populate CVE snapshot (internet-connected machine)
fendix db update --source osv-export.json

# Copy ~/.fendix/osv-snapshot.json to air-gapped host

# Air-gapped scan — no outbound network calls
fendix scan \
  --code ./src \
  --offline \
  --offline-db ./osv-snapshot.json

Full dep-CVE coverage with no internet access.

CLI behavior reflects backend contract and safety defaults.