These docs are for v1.1. Click to read the latest docs for v1.2.

Running a Scan

This command enables you to specify one or more discovery strategies. For example, using the --crawler option and/or the generated .HAR files, separately or concurrently. This means that you can handle client-side dynamic content, JavaScript, and so on.



If the maximum number of scans that can be run simultaneously is exceeded, the scan is placed in the queue. The concurrent scans limitation can be set either for the entire organization or for this particular project in the project settings. The new scan will start as soon as you manually stop another running scan or when the current scan is completed.



If using a Repeater, add --experimental-connection-reuseflag to keep an open connection between a Repeater and the target.


--token=apiKey, -t=apiKeyThe unique identifier used to authenticate a user. The token (API key) can be issued in your organization’s dashboard.
--name=scanName, -n=scanNameThe name of the scan
--archive=fileId, -a=fileIdThe archive ID, which can be received via the archive:upload command.
--crawler=url, -c=urlSpecifies a list of specific URLs that should be included during crawler discovery.
--agent=repeaterId (Deprecated)
Specifies a list of Repeater UUIDs that should be connected with the scan
--clusterBright cluster (domain name)

--project, -pAllows specifying the Bright project for a scan using the project ID. You can find the project ID in the Projects section in the Bright app.
--integration, -iAllows connecting a ticketing service with an associated repository for a scan. It enables you to get the reports on every detected vulnerability in automatically opened tickets/issues of the associated repository.

Note: You can only connect a ticketing service (system) that was previously integrated with the Bright app. Read more about integrating Bright with ticketing systems here.

Format: -i "service:repository"
Example: -i "github:example-app"
If you want to connect several repositories for one scan, you can specify them one after another: -i "github:example-app" -i "jira:example-app"


- To connect a ticketing service and a repository for a scan, the token (API key) that you use for the scan must include the integration.repos:read scope.
- The --integration (-i) parameter cannot be used without a valid --project (-p) parameter (see above). Make sure that you connect a repository associated with the specified project.
--smartEnables you to use automatic smart decisions, such as parameter skipping, detection phases, and so on to minimize scan time. When set to false (turned off), all tests are run on all parameters, which increases the coverage at the expense of scan time.

Default: --smart true
Defines which part of the request to attack.

Note: This argument can be passed multiple times in the same command.

Default: --parameter body query fragment.
--host-filter=hostOrIp, -F=hostOrIpThe list of specific hosts to be included in the scan.
Extra headers to be passed with the archive file. It can also be used to remove a header by providing a name without content. For example, -H "Host:".

Warning: Headers set with this option override the archive headers and are set in all the requests.
--test=testNameSpecifies a list of relevant tests to execute during a scan.
For example, --test default_login_location dom_xss.
Specifies the ID of the authentication object to be connect to the scan. Find more info about using an authentication object at Manging Your Authentications.
--config=pathToConfigSpecifies the path to the configuration file. By default, the CLI tries to discover the config in thepackage.json in the root directory of your application or a separate file by a specified name in the working directory. For details, see Configuration Files for more information.
Allows setting the level of logs to report. Any logs of a higher level than the one specified are shown. The options to select : 0, 1, 2, 3, 4, "silent", "error", "warn", "notice", "verbose".

Default: 3
--insecureAllows the Bright CLI to proceed and operate even if the server connection is considered insecure.
--proxy=socksProxyUrlSOCKS URL to proxy all traffic.

Note: SOCKS4, SOCKS5, SOCKS4a, SOCKS5h are currently supported. By default, if you specify SOCKS://<URL>, then SOCKS5h is applied.
--api=clusterUrl(Deprecated). Set the API endpoint domain, for VPC, use: --api

Default: --api <>
--excludeEnables you to manage exclusions from a scan.

If you want to ignore some of the parameter names during the tests, use exclude-param. For example, --exclude-param ID$.

--exclude-entry-point A list of JSON strings that contain patterns for entry points you would like to ignore during the tests.


- To remove default exclusions, pass an empty string.
- To apply patterns for all HTTP methods, you can set an empty array to “methods”. For example {“methods”: [], “patterns”: “users\\/?$”}.