Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.zenable.io/llms.txt

Use this file to discover all available pages before exploring further.

Quick Installation

curl -fsSL https://cli.zenable.app/install.sh | bash
For more installation options, see the Getting Started guide.

Overview

Zenable CLI - conformance checking, IDE management, and hook handling for agentic IDEs. The zenable CLI is the native Go binary for conformance checking, IDE management, and hook handling.

Global Options

These options are available for all commands:
OptionDescription
-v, --verboseEnable verbose output (repeatable: -v, -vv)
-h, --helpShow help message

Commands

install

Install the Zenable integrations. 
zenable install [OPTIONS] [COMMAND] [ARGS]...
Note: You can use unified commands like install cursor or install claude-code, or use subcommands like install mcp cursor and install hook claude-code. The unified commands are simpler and install all features.

Options

OptionDescription
-d, --dry-runPreview what would be done without actually performing the installation
-p, --projectInstall in the project directory instead of globally
--include TEXTInclude only directories matching these glob patterns (e.g., '**/microservice-*')
--exclude TEXTExclude directories matching these glob patterns
--allInstall for all supported IDEs, even if not currently installed
-h, --helpShow help message
By default, zenable install installs globally so the integration is available across all your projects.
Want project-level installation? Run zenable install --project from inside a git repository to install only for that project. When using --project outside a git repository, the installer will present an interactive TUI to select which repositories to install into.

Subcommands

install mcp
Install Zenable MCP server configuration. Uses OAuth for secure authentication. 
zenable install mcp [OPTIONS] COMMAND [ARGS]...
Additional options:
OptionDescription
--overwriteOverwrite existing Zenable configuration if it exists
--no-instructionsDon’t show post-installation instructions
Supported IDE commands:
  • all - Install MCP for all detected IDEs (default)
  • amp - Install MCP for Amp
  • antigravity - Install MCP for Antigravity
  • auggie (alias: augment) - Install MCP for Auggie
  • claude-code (alias: claude) - Install MCP for Claude Code
  • codex - Install MCP for Codex
  • continue - Install MCP for the Continue IDE*
  • copilot-cli - Install MCP for GitHub Copilot CLI
  • cursor - Install MCP for Cursor IDE and cursor-agent CLI
  • gemini - Install MCP for Gemini CLI
  • kiro - Install MCP for Kiro
  • roo - Install MCP for Roo Code
  • vscode - Install MCP for Visual Studio Code
  • windsurf - Install MCP for Windsurf IDE
install hook
Install hooks for various tools. 
zenable install hook [OPTIONS] COMMAND [ARGS]...
Supported hook commands:
  • all - Install hooks for all supported tools
  • claude-code (alias: claude) - Install Claude Code hooks
  • cursor - Install Cursor hooks
Options
OptionDescription
--dry-runPreview what would be done without actually performing the installation
--include TEXTInclude only directories matching these glob patterns (e.g., '**/microservice-*')
--exclude TEXTExclude directories matching these glob patterns
-h, --helpShow help message

Examples

# Install globally for all detected IDEs (recommended)
zenable install

# Install for a specific IDE using unified command (recommended)
zenable install cursor
zenable install claude-code

# Install in the current project only
zenable install --project

# Preview what would be done without installing
zenable install --dry-run

# Advanced: Install only MCP (without hooks) for all detected IDEs
zenable install mcp

# Advanced: Install only MCP for a specific IDE
zenable install mcp cursor

# Advanced: Install only hooks
zenable install hook
zenable install hook claude-code
zenable install hook cursor

uninstall

Remove Zenable integrations from your system. 
zenable uninstall [OPTIONS]
Launches an interactive TUI to select which integrations to remove.

Options

OptionDescription
-d, --dry-runPreview what would be done without actually performing the uninstall
-p, --projectUninstall from the project directory instead of globally
--allUninstall from all IDEs without interactive selection
-h, --helpShow help message

check

Check the provided files against your conformance tests. 
zenable check [OPTIONS] [PATTERNS]...
Automatically detects files from IDE context when no patterns are provided. Supports glob patterns like **/*.py to check all Python files recursively. Accepts piped input via stdin from git status --short or plain file lists. Files are processed in batches of 5 for optimal performance.

Arguments

  • PATTERNS: Glob patterns for files to check (e.g., '**/*.py', 'src/**/*.js')
    • If no patterns are provided, auto-detects the last edited file, subject to filtering. Use --verbose for filtering details

Stdin

When input is piped to zenable check, it reads file paths from stdin. This supports:
  • git status --short output — status prefixes are automatically stripped, deleted files are skipped, and renames use the new path
  • Plain file lists — one file path per line

Options

OptionDescription
--exclude TEXTPatterns to exclude from checking
--base-path DIRECTORYBase directory for pattern matching (defaults to current directory)
--branchCheck all files changed on the current branch compared to the base branch
--base-branch TEXTBase branch to compare against when using --branch (default: $ZENABLE_CHECK_BASE_BRANCH or main)
--dry-runShow which files would be sent without actually checking them
--format TEXTOutput format(s): text, json, sarif, or html. Supports multiple formats and file paths (e.g. text,sarif=results.sarif). Default: text
--skip-ai-reviewSkip AI review (overrides config and env var)
--skip-semgrepSkip semgrep guardrails (overrides config and env var)
-h, --helpShow help message

Configuration

The check command supports configuration via environment variables:
Environment VariableDescriptionDefault
ZENABLE_CHECK_BASE_BRANCHDefault base branch to compare against when using --branchmain
Example
# Set default base branch to develop
export ZENABLE_CHECK_BASE_BRANCH=develop

# Now --branch uses develop instead of main
zenable check --branch

# CLI option still overrides env var
zenable check --branch --base-branch feature/base

Examples

# Check a single file
zenable check example.py

# Check all Python files recursively
zenable check '**/*.py'

# Check multiple patterns
zenable check 'src/**/*.js' 'tests/**/*.js'

# Pipe git status to check modified/untracked files
git status --short | zenable check

# Pipe a file list from any command
find src -name '*.py' | zenable check

# Exclude test files from checking
zenable check '**/*.py' --exclude '**/test_*.py'

# Specify base directory for pattern matching
zenable check '*.py' --base-path ./src

# Check all files changed on current branch compared to main
zenable check --branch

# Check all files changed on current branch compared to develop
zenable check --branch --base-branch develop

# Check only Python src files changed on current branch
zenable check --branch '**/*.py' --exclude '**/test_*.py'

# Dry run to see which files would be checked
zenable check '**/*.py' --dry-run

# Output results in SARIF format to a file (e.g. for CI integration)
zenable check '**/*.py' --format sarif=results.sarif

# Output results in JSON format to a file
zenable check '**/*.py' --format json=results.json

# Output text to terminal and write SARIF + JSON to files
zenable check '**/*.py' --format text,sarif=results.sarif,json=results.json

# Output HTML report to a file
zenable check '**/*.py' --format html=report.html

# Output multiple formats to stdout
zenable check '**/*.py' --format sarif,json

# Skip AI review and only run semgrep guardrails
zenable check '**/*.py' --skip-ai-review

hook

Handle calls from the hooks of Agentic IDEs. 
zenable hook [OPTIONS]
This command is specifically designed for IDE integrations like Claude Code and Cursor. It reads hook input from stdin, processes the files, and returns appropriate exit codes and formatted responses for the IDE to handle. To manually run a scan, use the check command instead.

Options

OptionDescription
-h, --helpShow help message
Reverted files are not reviewed. When an agent modifies a file and then reverts it back to match the base branch (e.g., via git checkout), the hook will report “No files to process” because there is no net change compared to the base branch. This is expected behavior — Zenable reviews the diff, not individual edits, so if the final state matches what’s already on the base branch, there’s nothing new to review.

triage

Fetch and address unresolved review comments on a pull request or merge request. 
zenable triage [OPTIONS]
Auto-detects the PR (GitHub) or MR (GitLab) for the current branch and fetches every commentable surface — line-level review threads, PR-level issue comments, and submitted-review summary bodies — in a single XML payload aimed at AI coding agents. By default only comments from the Zenable AI guardrails bot are returned; flags loosen that filter. The default output embeds an <instructions> block telling the agent how to process each thread (commit per thread, push, then reply). Use --reply to post a response to a single thread, or --report-only to emit a read-only research-report prompt that produces no commits, pushes, or replies.

Modes

ModeFlagWhat it does
List (default)nonePrint threads + an <instructions> block guiding the agent to fix, commit, push, and reply.
Reply--replyPost a single reply to a thread, either referencing a commit (--commit) or with a custom body (--comment).
Report-only--report-onlyEmit a prompt that has the agent research each comment and print a structured markdown report to stdout — no commits, no pushes, no replies.

Options

OptionDescription
--pr INTEGERGitHub PR number (auto-detected from current branch if omitted). Mutually exclusive with --mr.
--mr INTEGERGitLab MR number (auto-detected from current branch if omitted). Mutually exclusive with --pr.
--all-botsInclude comments from all bots, not just the Zenable AI guardrails bot.
--all-authorsInclude comments from all authors (humans and bots).
--include-resolvedInclude resolved review threads. Only applies to line-level threads; issue comments and review summaries have no resolve concept.
--format TEXTOutput format: xml (default), json, or text.
--push-strategy TEXTHow commits and replies are sequenced in default-mode instructions: batch (default — commit per thread, push once, then reply) or each (commit, push, reply per thread). Ignored when --report-only is set.
--replyReply to a single thread. Requires --thread-id and one of --commit/--comment. Mutually exclusive with --report-only.
--thread-id TEXTThread ID to reply to (used with --reply).
--commit TEXTCommit hash that addresses the thread (used with --reply). Mutually exclusive with --comment.
--comment TEXTCustom reply body (used with --reply). Mutually exclusive with --commit.
--report-onlyEmit a read-only research-report prompt; no commits, pushes, or replies. Mutually exclusive with --reply.
-h, --helpShow help message.

Examples

# List unresolved bot review comments (auto-detect PR/MR)
zenable triage

# List comments for a specific GitHub PR
zenable triage --pr 123

# List comments for a specific GitLab MR
zenable triage --mr 456

# Include comments from all authors, not just the bot
zenable triage --all-authors

# Include resolved threads as well
zenable triage --include-resolved

# Switch to per-thread commit + push + reply cycles
zenable triage --push-strategy each

# Reply to a thread by referencing a commit
zenable triage --reply --thread-id PRRT_abc123 --commit abc123f

# Reply to a thread with a custom comment
zenable triage --reply --thread-id PRRT_abc123 --comment "Intentional, see docs"

# Emit a read-only research-report prompt — no commits, no replies
zenable triage --report-only

# Same, but as JSON for downstream tooling
zenable triage --report-only --format json
Resolve state only applies to line-level review comments. Issue comments (PR-level conversation) and review summaries (the body of a submitted review) have no resolve/unresolve concept, so --include-resolved is a no-op for them.

login

Authenticate with Zenable via OAuth. 
zenable login
Opens a browser to complete the OAuth authentication flow. Credentials are cached locally for future commands. If already authenticated, skips re-authentication.

logout

Clear local OAuth credentials. 
zenable logout [OPTIONS]

Options

OptionDescription
--allAlso open Auth0 logout in browser to end remote session

sync

Sync guardrails from Zenable to local disk. 
zenable sync
Downloads and caches semgrep guardrails locally for faster conformance checks. Uses ETag-based caching to avoid re-downloading unchanged guardrails. Requires authentication.

logs

View zenable logs. 
zenable logs [OPTIONS]

Options

OptionDescription
-f, --followFollow log output (like tail -f)
-r, --rawShow raw log entries instead of just messages
-n, --lines INTEGERNumber of lines to show (from end of file, default: 50)
--clearClear the log file (cannot be used with other options)
-h, --helpShow help message

Examples

# View recent logs
zenable logs

# Follow logs in real-time
zenable logs --follow

# Show last 50 lines
zenable logs -n 50

# Clear logs
zenable logs --clear

doctor

Diagnose and troubleshoot installation and client issues. 
zenable doctor
Displays diagnostic information including OS details, terminal environment, Zenable environment variables (sensitive values redacted), dependency status, authentication state, custom guardrail validation status, and recent log entries. The Custom Guardrails section reports each configured custom guardrail file by absolute path with one of the following statuses:
  • — passed both upstream syntax and Zenable schema checks
  • — failed Zenable schema validation
  • ? — partially or not yet validated; run zenable guardrail validate <engine> <file> for more details

guardrail

Inspect and validate custom guardrail rules. The first positional argument selects the engine (opengrep or semgrep) — the server never infers it from the rule body. Subsequent arguments are file paths or glob patterns. 
zenable guardrail [SUBCOMMAND]

guardrail validate

Validate one or more custom guardrail rule files. Runs the engine’s native validate command (catches YAML / pattern syntax errors) and the Zenable schema check (catches the field-level rules that protect the findings API). Validation results are cached locally by SHA-256 of the rule body, so re-running is free for unchanged files. 
zenable guardrail validate <engine> <file-or-glob>...
Arguments
  • <engine> — required; one of opengrep or semgrep. Explicit by design; the server never infers it from the rule body.
  • <file-or-glob>... — one or more file paths or glob patterns. Globs expand relative to the current working directory. Excludes and config-driven skip-filenames do NOT apply: this command validates exactly what you point it at.
Options
  • --format <format>text (default) or json
Examples
# Validate one file
zenable guardrail validate opengrep ~/.zenable/custom_guardrails/semgrep/custom-no-eval.yaml

# Validate every YAML rule in a directory
zenable guardrail validate semgrep '~/.zenable/custom_guardrails/semgrep/*.yaml'

# Machine-readable output for CI
zenable guardrail validate opengrep '**/*.yaml' --format json | jq
Exit Codes
  • 0 — all files passed (or were partial-pass)
  • 1 — at least one file failed validation
  • 2 — bad arguments (unknown engine, no files matched)

version

Show the zenable version. 
zenable version
Will also notify you if an update is available.

Configuration Files

MCP Server Configuration

The tool creates MCP server configuration in IDE-specific locations, appropriate for that individual IDE. For instance: 
{
  "mcpServers": {
    "zenable": {
      "type": "http",
      "url": "https://mcp.zenable.app/"
    }
  }
}

Hook Configuration (Claude Code)

Hooks are configured in Claude Code settings (.claude/settings.json): 
{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Write|Edit|MultiEdit",
        "hooks": [
          {
            "type": "command",
            "command": "zenable hook"
          }
        ]
      }
    ]
  }
}

Hook Configuration (Cursor)

Hooks are configured in Cursor hooks file (.cursor/hooks.json): 
{
  "version": 1,
  "hooks": {
    "afterFileEdit": [
      {
        "command": "zenable hook"
      }
    ]
  }
}

Exit Codes

CodeMeaning
0Success
2Conformance issues found
3Handler conflict
4No hook input
12No files specified
13No files found
14File read error
15Invalid parameters
16File write error
20API error
21Authentication error
51Installation error
52Partial success
130User interrupt

File Patterns

Glob Pattern Examples

# All Python files recursively
'**/*.py'

# Multiple extensions
'**/*.{js,ts,jsx,tsx}'

# Specific directory
'src/**/*.py'

# All files in current directory
'*'

# All files recursively
'**/*'

# Specific depth
'*/*.py'  # One level deep
'*/*/*.py'  # Two levels deep

Common Exclusions

# Python
--exclude '**/{__pycache__,venv,.venv,migrations}/**'

# JavaScript/Node
--exclude '**/{node_modules,dist,build,.next}/**'

# General
--exclude '.git/**'
--exclude '**/*.min.js'
--exclude '**/*.map'
--exclude '**/vendor/**'

Troubleshooting

Debug Mode

Enable debug output for troubleshooting: 
# Maximum verbosity
zenable -vv install

# Run a check with verbose output
zenable -v check '**/*.py'

# View debug logs
zenable logs --lines 100

# Run diagnostics
zenable doctor

Dry Run Mode

Preview changes without applying: 
# Preview installation
zenable install --dry-run

# Preview with specific IDE
zenable install mcp cursor --dry-run
*Continue users may experience issues until Continue adds support for streamable HTTP.

See Also