CLI Overview

The RootCause CLI (Command-Line Interface) is the primary tool for running static code analysis. It enables you to scan your code, apply custom rules, and generate reports in different formats.

What is the CLI?

The RootCause CLI is a binary executable that provides everything you need to:

• Scan code: Analyse files and directories for security and quality issues
• Apply rules: Use custom rules to detect specific patterns
• Generate reports: Produce outputs in text, JSON, or SARIF formats
• Manage rules: Install, update, and manage rule sets
• Manage plugins: Install, configure, and use external plugins
• Integrate with CI/CD: Seamless integration into development pipelines

Configuration file location

RootCause uses a TOML configuration file located at:

• Linux/macOS: ~/.config/rootcause/config.toml
• Windows: %APPDATA%\rootcause\config.toml

Configuration file structure (config.toml)

# Cache configuration
[cache]
cache_dir = "./cache"

# Rules configuration
[rules]
rule_dirs = [
  "/home/user/.config/rootcause/rules",
  "./custom-rules"
]

# Plugins configuration
[plugins]
[plugins.plugin-name]
enabled = true
param1 = "value1"
param2 = 123

Default directories

• Rules: ~/.config/rootcause/rules (Linux/macOS) or %APPDATA%\rootcause\rules (Windows)
• Plugins: ~/.config/rootcause/plugins (Linux/macOS) or %APPDATA%\rootcause\plugins (Windows)

Main commands

scan

Main command to run code analysis.

rootcause scan <PATH> [OPTIONS]

rules

Manage analysis rule sets.

rootcause rules <COMMAND> [OPTIONS]

plugins

Manage plugins to extend functionality.

rootcause plugins <COMMAND> [OPTIONS]

Global options

Available at the top-level CLI:

rootcause --help

Full help output

RootCause is a powerful Static Analysis Security Testing (SAST) tool that helps developers find security vulnerabilities, code quality issues, and compliance violations in their codebases.

Features:
• Multi-language support (Python, Rust, JavaScript, Java, Docker, YAML, etc.)
• Customizable rule sets with YAML, JSON, and OPA support
• Plugin architecture for extensibility
• Multiple output formats (Text, JSON, SARIF)
• CI/CD integration ready
• Real-time scanning and reporting

Examples:
  rootcause scan .                    # Scan current directory
  rootcause scan src/ --format json   # Scan with JSON output
  rootcause rules install <url>       # Install custom rules
  rootcause plugins list              # List installed plugins

Usage: rootcause <COMMAND>

Commands:
  scan     Scan code for security vulnerabilities and quality issues
  plugins  Manage plugins for extending RootCause functionality
  rules    Manage security rules and rule sets
  help     Print this message or the help of the given subcommand(s)

Options:
  -v, --version    Show version information
  -h, --help       Print help (see a summary with '-h')

CI/CD integration

The CLI is designed to integrate easily into CI/CD pipelines:

# GitHub Actions
- name: Run RootCause Analysis
  run: |
    rootcause scan . --format sarif --fail-on medium > report.sarif

# GitLab CI
analyze:
  script:
    - rootcause scan . --format sarif --fail-on high > report.sarif
  artifacts:
    reports:
      sarif: report.sarif

Next steps

• Scan Command - Scan command details
• Rules Command - Rule management
• Plugins Command - Plugin management