Obtaining the CLI
DotNet Tool (Recommended):
Initial Install
Install the .NET SDK and then run dotnet tool install --global Microsoft.CST.ApplicationInspector.CLI
.
Updating
The tool does not automatically update, but you can update to the latest version of AppInspector with dotnet tool update --global Microsoft.CST.ApplicationInspector.CLI
.
Binary Download:
Download an Application Inspector release from the GitHub releases. These releases are platform specific and don't require a .NET SDK install.
Basic CLI Usage
> AppInspector <command> <options>
ApplicationInspector.CLI 1.6.22+a4d4df45d0
c Microsoft Corporation. All rights reserved.
analyze Inspect source directory/file/compressed file (.tgz|zip)
against defined characteristics
tagdiff Compares unique tag values between two source paths
exporttags Export the list of tags associated with the specified rules.
Does not scan source code.
verifyrules Verify custom rules syntax is valid
packrules Combine multiple rule files into one file for ease in
distribution
help Display more information on a specific command.
version Display version information.
Examples:
Command Help
For help with an individual command run appinspector <command> --help
. To see a list of available commands run appinspector --help
.
Analyze Command
Usage: AppInspector analyze [arguments] [options]
Arguments:
-s, --source-path Required. Source file or directory to
inspect, comma separated
-f, --output-file-format (Default: html) Output format
[html|json|text]
-e, --text-format (Default:
Tag:%T,Rule:%N,Ruleid:%R,Confidence:%X
,File:%F,Sourcetype:%t,Line:%L,Sample:
%m) Match text format specifiers
-N, --no-show-progress Disable progress information.
-C, --context-lines Number of lines of context on each
side to include in excerpt (up to a
maximum of 100 * NumLines characters
on each side). 0 to skip exerpt. -1 to
not extract samples or excerpts
(implied by -t). When outputting sarif
use -1 for no snippets, all other
values ignored.
-t, --tags-only Only get tags (no detailed match
data). Ignored if output format is
sarif.
-n, --no-file-metadata Don't collect metadata about each
individual file.
-A, --allow-all-tags-in-build-files Allow all tags (not just Metadata
tags) in files of type Build.
-M, --max-num-matches-per-tag If non-zero, and TagsOnly is not set,
will ignore rules based on if all of
their tags have been found the set
value number of times.
--base-path If set, when outputting sarif, will
have paths made relative to the
provided path.
--repository-uri If set, when outputting sarif, include
this information.
--commit-hash If set, when outputting sarif, include
this information.
--disable-custom-rule-validation By default when providing custom rules
they are validated. When set,
validation will be skipped.
-i, --ignore-default-rules (Default: false) Exclude default rules
bundled with application
-F, --file-timeout (Default: 60000) Maximum amount of
time in milliseconds to allow for
processing each file. 0 is infinity.
Default: 60000.
-p, --processing-timeout (Default: 0) Maximum amount of time in
milliseconds to allow for processing.
When NoShowProgress is set this
includes enumeration time. 0 is
infinity. Default: 0.
--enumeration-timeout (Default: 0) Maximum amount of time in
milliseconds to allow for enumerating.
0 is infinity. Default: 0.
--disable-archive-crawling Disable Archive Enumeration.
-S, --single-threaded Disables parallel processing. May be
helpful for debugging with higher
verbosity.
-g, --exclusion-globs (Default: **/bin/** **/obj/**
**/.vs/** **/.git/**) Exclude source
files that match glob patterns.
Example: "**/.git/**,*Tests*". Use
"none" to disable.
-u, --scan-unknown-filetypes Scan files of unknown types.
-c, --confidence-filters (Default: High Medium) Output only
matches with specified confidence
<value>,<value>. Default: Medium,High.
[High|Medium|Low]
--severity-filters (Default: Critical Important Moderate
BestPractice ManualReview) Output only
matches with specified severity
<value>,<value>. Default: All are
enabled.
[Critical|Important|Moderate|BestPract
ice|ManualReview]
-r, --custom-rules-path Custom rules file or directory path
--custom-languages-path Replace the default languages set with
a custom languages.json.
--custom-comments-path Replace the default comment
specification set with a custom
comments.json.
--disable-require-unique-ids Allow rules with duplicate IDs.
--success-error-code-with-no-matches When processing is apparently
successful but there are no matches
return a success error code - useful
for CI.
--require-must-match When validating, require rules to have
MustMatch self-tests.
--require-must-not-match When validating, require rules to have
MustNotMatch self-tests.
-o, --output-file-path Output file path
-x, --console-verbosity (Default: Information) Console
verbosity
[Verbose|Debug|Information|Warning|Err
or|Fatal]
--disable-console (Default: false) Disable console
output of logging messages.
-v, --log-file-level (Default: Error) Log file level
[Verbose|Debug|Information|Warning|Err
or|Fatal]
-l, --log-file-path Log file path. If not set, will not
log to file.
--help Display this help screen.
--version Display version information.
Scan a project directory, with output sent to "output.html" (default behavior includes launching default browser to this file)
AppInspector analyze -s /home/user/myproject
Scan using custom rules and ignoring default rules
AppInspector analyze -s /home/user/myproject -r /home/user/myrules -i
Write to JSON format
AppInspector analyze -s /home/user/myproject -f json
Write to Sarif format
AppInspector analyze -s /home/user/myproject -f sarif
Tag Diff Command
Use to analyze and report on differences in tags (features) between two project or project versions e.g. v1, v2 to see what changed
Usage: AppInspector tagdiff [arguments] [options]
Arguments:
--src1 Required. Source 1 to compare (commaa
separated)
--src2 Required. Source 2 to compare (commaa
separated)
-t, --test-type (Default: Equality) Type of test to
run [Equality|Inequality]
--disable-custom-rule-validation By default when providing custom rules
they are validated. When set,
validation will be skipped.
-i, --ignore-default-rules (Default: false) Exclude default rules
bundled with application
-F, --file-timeout (Default: 60000) Maximum amount of
time in milliseconds to allow for
processing each file. 0 is infinity.
Default: 60000.
-p, --processing-timeout (Default: 0) Maximum amount of time in
milliseconds to allow for processing.
When NoShowProgress is set this
includes enumeration time. 0 is
infinity. Default: 0.
--enumeration-timeout (Default: 0) Maximum amount of time in
milliseconds to allow for enumerating.
0 is infinity. Default: 0.
--disable-archive-crawling Disable Archive Enumeration.
-S, --single-threaded Disables parallel processing. May be
helpful for debugging with higher
verbosity.
-g, --exclusion-globs (Default: **/bin/** **/obj/**
**/.vs/** **/.git/**) Exclude source
files that match glob patterns.
Example: "**/.git/**,*Tests*". Use
"none" to disable.
-u, --scan-unknown-filetypes Scan files of unknown types.
-c, --confidence-filters (Default: High Medium) Output only
matches with specified confidence
<value>,<value>. Default: Medium,High.
[High|Medium|Low]
--severity-filters (Default: Critical Important Moderate
BestPractice ManualReview) Output only
matches with specified severity
<value>,<value>. Default: All are
enabled.
[Critical|Important|Moderate|BestPract
ice|ManualReview]
-r, --custom-rules-path Custom rules file or directory path
--custom-languages-path Replace the default languages set with
a custom languages.json.
--custom-comments-path Replace the default comment
specification set with a custom
comments.json.
--disable-require-unique-ids Allow rules with duplicate IDs.
--success-error-code-with-no-matches When processing is apparently
successful but there are no matches
return a success error code - useful
for CI.
--require-must-match When validating, require rules to have
MustMatch self-tests.
--require-must-not-match When validating, require rules to have
MustNotMatch self-tests.
-o, --output-file-path Output file path
-f, --output-file-format (Default: text) Output format
[json|text]
-x, --console-verbosity (Default: Information) Console
verbosity
[Verbose|Debug|Information|Warning|Err
or|Fatal]
--disable-console (Default: false) Disable console
output of logging messages.
-v, --log-file-level (Default: Error) Log file level
[Verbose|Debug|Information|Warning|Err
or|Fatal]
-l, --log-file-path Log file path. If not set, will not
log to file.
--help Display this help screen.
--version Display version information.
Simplest way to see the delta of tag features between two projects
AppInspector tagdiff --src1 /home/user/project1 --src2 /home/user/project2
Basic use
AppInspector tagdiff --src1 /home/user/project1 --src2 /home/user/project2 -t equality
Basic use
AppInspector tagdiff --src1 /home/user/project1 --src2 /home/user/project2 -t inequality
Export Tags Command
Simple export of the ruleset tags representing what features are supported for detection
Usage: AppInspector exporttags [arguments] [options]
Arguments:
-r, --custom-rules-path Custom rules file or directory path
-i, --ignore-default-rules (Default: false) Exclude default rules bundled
with application
-o, --output-file-path Output file path
-f, --output-file-format (Default: text) Output format [json|text]
-x, --console-verbosity (Default: Information) Console verbosity
[Verbose|Debug|Information|Warning|Error|Fatal]
--disable-console (Default: false) Disable console output of
logging messages.
-v, --log-file-level (Default: Error) Log file level
[Verbose|Debug|Information|Warning|Error|Fatal]
-l, --log-file-path Log file path. If not set, will not log to file.
--help Display this help screen.
--version Display version information.
Export default rule tags to console
AppInspector exporttags
Using output file
AppInspector exporttags -o /home/user/myproject/exportags.txt
With custom rules and output file
AppInspector exporttags -r /home/user/myproject/customrules -o /hom/user/myproject/exportags.txt
Verify Rules Command
Verify a custom ruleset is compatible and error free for use with Application Inspector. Note the default ruleset is already verified as part of the Build process and does not normally require a separate verification.
Usage: AppInspector verifyrules [arguments]
Arguments:
-d, --verify-default-rules (Default: false) Verify the rules
embedded in the binary.
-r, --custom-rules-path Custom rules file or directory path
--custom-languages-path Replace the default languages set with
a custom languages.json.
--custom-comments-path Replace the default comment
specification set with a custom
comments.json.
--disable-require-unique-ids Allow rules with duplicate IDs.
--success-error-code-with-no-matches When processing is apparently
successful but there are no matches
return a success error code - useful
for CI.
--require-must-match When validating, require rules to have
MustMatch self-tests.
--require-must-not-match When validating, require rules to have
MustNotMatch self-tests.
-o, --output-file-path Output file path
-f, --output-file-format (Default: text) Output format
[json|text]
-x, --console-verbosity (Default: Information) Console
verbosity
[Verbose|Debug|Information|Warning|Err
or|Fatal]
--disable-console (Default: false) Disable console
output of logging messages.
-v, --log-file-level (Default: Error) Log file level
[Verbose|Debug|Information|Warning|Err
or|Fatal]
-l, --log-file-path Log file path. If not set, will not
log to file.
--help Display this help screen.
--version Display version information.
Simplest case
AppInspector verifyrules -r /home/user/mycustomrules
Pack Rules Command
Condense multiple rule files into one for ease in distribution with Application Inspector
Usage: AppInspector packrules [arguments]
Arguments:
-e, --pack-embedded-rules Pack the rules that are embedded in
the application inspector binary.
-r, --custom-rules-path Custom rules file or directory path
--custom-languages-path Replace the default languages set with
a custom languages.json.
--custom-comments-path Replace the default comment
specification set with a custom
comments.json.
--disable-require-unique-ids Allow rules with duplicate IDs.
--success-error-code-with-no-matches When processing is apparently
successful but there are no matches
return a success error code - useful
for CI.
--require-must-match When validating, require rules to have
MustMatch self-tests.
--require-must-not-match When validating, require rules to have
MustNotMatch self-tests.
-o, --output-file-path Output file path
-f, --output-file-format (Default: text) Output format
[json|text]
-x, --console-verbosity (Default: Information) Console
verbosity
[Verbose|Debug|Information|Warning|Err
or|Fatal]
--disable-console (Default: false) Disable console
output of logging messages.
-v, --log-file-level (Default: Error) Log file level
[Verbose|Debug|Information|Warning|Err
or|Fatal]
-l, --log-file-path Log file path. If not set, will not
log to file.
--help Display this help screen.
--version Display version information.
Simplist case to repack default rules into default or alternate location
AppInspector packrules -d -o /home/user/myproject/defaultrules.json
Using custom rules only
AppInspector packrules -r /home/user/myproject/customrules -o /home/user/mypackedcustomrules.json