CLI Reference

Command Line Usage

Core commands and flags used by teams to run scans locally and in CI/CD.

Commands

fendix scanRun a security scan against a target

fendix initGenerate a drop-in GitHub Actions workflow + .fendix.yaml policy + .fendix-ignore for the current repo (v0.6+)

fendix demoSpin up OWASP Juice Shop locally in Docker, run a sample scan, and (with --open) open the HTML report (v0.6.1+)

fendix reportRe-render saved findings in a different format

fendix verifyRe-run a single finding by ID to confirm it

fendix versionPrint the installed Fendix version

Scan Flags

--urlTarget API base URL

--specOpenAPI/Swagger: local path or https:// URL

--codeSource code directory for white-box analysis

--authAuth header value, e.g. "Bearer token123"

--auth-typeAuth profile: bearer | apikey | apikey-query | basic | cookie (default: auto-detect)

--auth-headerCustom auth header name (default: Authorization). With --auth-type apikey-query, this is the URL query-param name (default: api_key).

--auth-user2Second user auth for IDOR checks

--profileAuth profile from ~/.fendix/profiles/

-o, --outputOutput file path (default: stdout)

-f, --formatOutput format: json | html | sarif (default: json)

--fail-onExit 1 if findings meet threshold: CRITICAL | HIGH | MEDIUM

--baselinePrevious findings JSON for diff — show only new issues

--save-baselineSave current findings to path for future diffs

--enable-activeEnable active injection probes (SQLi, CMDi, CRLF)

--max-probes-per-endpointCap active payloads per endpoint when --enable-active (default: 20)

-w, --workersConcurrent HTTP workers (default: 10)

--timeoutHTTP timeout in seconds (default: 10)

--delayMilliseconds between requests (default: 100)

--ignorePath to .fendix-ignore suppression file

--wordlistCustom brute-force wordlist path; overrides built-in 117-path list

--crawl-depthRecursive HTML link crawl depth — 0 disables, 1 = home-page links (default), 2+ = deeper

--max-endpointsCap discovered endpoints after dedupe (default: 500; 0 = no cap)

--max-requestsSoft cap on total HTTP requests during the scan phase; discovery exempt (v0.5; 0 = no cap)

--max-durationWall-clock deadline as a Go duration string, e.g. 5m, 90s, 2m30s (v0.5)

--respect-robotsTreat robots.txt Disallow rules as a hard restriction across discovery (v0.5; default off)

--debug-bundleWrite a redacted diagnostic .tar.gz at the given path — auth values masked, full DEBUG slog stream + probe audit log included. For attaching to bug reports (v0.6)

--configPath to .fendix.yaml policy file (default: auto-detect .fendix.yaml in cwd; explicit path with missing file is a hard error). Precedence: cobra default < .fendix.yaml < explicit CLI flag (v0.6.1+)

--no-pluginsDisable out-of-tree plugin discovery in .fendix/plugins/ + ~/.fendix/plugins/. Use for sandboxed CI or when isolating engine behavior from third-party plugins (v0.7+)

-v, --verbosePrint all requests and raw findings

Report Flags

Re-render a saved findings JSON file to a different format without re-scanning.

--inputPath to findings JSON file (required)

-f, --formatOutput format: json | html | sarif (default: html)

-o, --outputOutput file path (default: stdout)

Init Flags

fendix init detects the project's stack (Go, Python, Node.js, Ruby, Rust, Java/Kotlin, PHP) and any colocated OpenAPI/Swagger spec, then writes three files into the working directory: .github/workflows/fendix.yml (drop-in CI workflow), .fendix.yaml (commented policy starter — see schema reference), and .fendix-ignore (suppressions starter). Refuses to overwrite by default; pre-flight check is atomic across all three files.

--forceOverwrite existing .github/workflows/fendix.yml, .fendix.yaml, or .fendix-ignore (default: refuse and exit; pre-flight check is atomic across all three)

--printDry-run: render templates to stdout without touching disk

Demo Flags

fendix demo spins up bkimminich/juice-shop:v17.1.1 in Docker on localhost:3000, runs a stock fendix scan against it, and renders an HTML report. Container is always cleaned up on exit (success or failure). Useful for first-time evaluators who want to see a real scan without pointing fendix at production.

--openOpen the rendered HTML report in your default browser when the scan finishes

--portLocal port to bind juice-shop on (default: 3000)

--outputHTML report output path (default: $TMPDIR/fendix-demo-<unix>.html)

--imageJuice-shop Docker image reference (default: bkimminich/juice-shop:v17.1.1, pinned for reproducibility)

Hybrid scan

fendix scan \
  --url https://api.example.com \
  --spec ./openapi.yaml \
  --code ./src \
  --format html \
  --fail-on HIGH

Runs both black-box and white-box analysis and correlates the results.

Active probing

fendix scan \
  --url https://api.example.com \
  --enable-active \
  --fail-on CRITICAL \
  --save-baseline ./baseline.json

Enables SQLi, CMDi, and CRLF injection probes. Requires explicit authorization.

CLI behavior reflects backend contract and safety defaults.