Zenable CLI Reference - Zenable Governance Platform

Coming soon. The native zenable CLI is under active development and will replace zenable-mcp. This page will be updated as commands stabilize. For the current CLI, see the zenable-mcp CLI Reference.

Overview

Zenable CLI - conformance checking, IDE management, and hook handling for agentic IDEs. The zenable CLI is the native Go binary that replaces the older Python-based zenable-mcp package. Install it via the Getting Started guide.

Global Options

These options are available for all commands:

Option	Description
`-v`, `--verbose`	Enable verbose output (repeatable: `-v`, `-vv`)
`-h`, `--help`	Show help message

Commands

`install`

Install the Zenable integrations.

zenable install [OPTIONS] [COMMAND] [ARGS]...

Note: You can use unified commands like install cursor or install claude-code, or use subcommands like install mcp cursor and install hook claude-code. The unified commands are simpler and install all features.

Options

Option	Description
`-d`, `--dry-run`	Preview what would be done without actually performing the installation
`-g`, `--global`	Install globally in user’s home directory instead of project directory
`--include TEXT`	Include only directories matching these glob patterns (e.g., `'*/microservice-'`)
`--exclude TEXT`	Exclude directories matching these glob patterns
`--all`	Install for all supported IDEs, even if not currently installed
`-h`, `--help`	Show help message

Running outside a git repository? The installer will search for git repositories below your current location and present an interactive TUI to select which repositories to install into. You can select one or more repositories, or choose to install globally.

Subcommands

`install mcp`

Install Zenable MCP server configuration. Uses OAuth for secure authentication.

zenable install mcp [OPTIONS] COMMAND [ARGS]...

Additional options:

Option	Description
`--overwrite`	Overwrite existing Zenable configuration if it exists
`--no-instructions`	Don’t show post-installation instructions

Supported IDE commands:

all - Install MCP for all detected IDEs (default)
amazon-q - Install MCP for Amazon Q Developer
amp - Install MCP for Amp
antigravity - Install MCP for Antigravity
auggie (alias: augment) - Install MCP for Auggie
claude-code (alias: claude) - Install MCP for Claude Code
codex - Install MCP for Codex
continue - Install MCP for the Continue IDE*
copilot-cli - Install MCP for GitHub Copilot CLI
cursor - Install MCP for Cursor IDE and cursor-agent CLI
gemini - Install MCP for Gemini CLI
kiro - Install MCP for Kiro
roo - Install MCP for Roo Code
vscode - Install MCP for Visual Studio Code
windsurf - Install MCP for Windsurf IDE

`install hook`

Install hooks for various tools.

zenable install hook [OPTIONS] COMMAND [ARGS]...

Supported hook commands:

all - Install hooks for all supported tools
claude-code (alias: claude) - Install Claude Code hooks
cursor - Install Cursor hooks

Options

Option	Description
`--dry-run`	Preview what would be done without actually performing the installation
`--include TEXT`	Include only directories matching these glob patterns (e.g., `'*/microservice-'`)
`--exclude TEXT`	Exclude directories matching these glob patterns
`-h`, `--help`	Show help message

Examples

# Install for all detected IDEs (recommended)
zenable install

# Install for a specific IDE using unified command (recommended)
zenable install cursor
zenable install claude-code

# Install Zenable for all detected IDEs, globally
zenable install --global

# Preview what would be done without installing
zenable install --dry-run

# Advanced: Install only MCP (without hooks) for all detected IDEs
zenable install mcp

# Advanced: Install only MCP for a specific IDE
zenable install mcp cursor

# Advanced: Install only hooks
zenable install hook
zenable install hook claude-code
zenable install hook cursor

`check`

Check the provided files against your conformance tests.

zenable check [OPTIONS] [PATTERNS]...

Automatically detects files from IDE context when no patterns are provided. Supports glob patterns like **/*.py to check all Python files recursively. Files are processed in batches of 5 for optimal performance.

Arguments

PATTERNS: Glob patterns for files to check (e.g., '**/*.py', 'src/**/*.js')
- If no patterns are provided, auto-detects the last edited file, subject to filtering. Use --verbose for filtering details

Options

Option	Description
`--exclude TEXT`	Patterns to exclude from checking
`--base-path DIRECTORY`	Base directory for pattern matching (defaults to current directory)
`--branch`	Check all files changed on the current branch compared to the base branch
`--base-branch TEXT`	Base branch to compare against when using `--branch` (default: `$ZENABLE_CHECK_BASE_BRANCH` or `main`)
`--dry-run`	Show which files would be sent without actually checking them
`-h`, `--help`	Show help message

Configuration

The check command supports configuration via environment variables:

Environment Variable	Description	Default
`ZENABLE_CHECK_BASE_BRANCH`	Default base branch to compare against when using `--branch`	`main`

Example

# Set default base branch to develop
export ZENABLE_CHECK_BASE_BRANCH=develop

# Now --branch uses develop instead of main
zenable check --branch

# CLI option still overrides env var
zenable check --branch --base-branch feature/base

Examples

# Check a single file
zenable check example.py

# Check all Python files recursively
zenable check '**/*.py'

# Check multiple patterns
zenable check 'src/**/*.js' 'tests/**/*.js'

# Exclude test files from checking
zenable check '**/*.py' --exclude '**/test_*.py'

# Specify base directory for pattern matching
zenable check '*.py' --base-path ./src

# Check all files changed on current branch compared to main
zenable check --branch

# Check all files changed on current branch compared to develop
zenable check --branch --base-branch develop

# Check only Python src files changed on current branch
zenable check --branch '**/*.py' --exclude '**/test_*.py'

# Dry run to see which files would be checked
zenable check '**/*.py' --dry-run

`hook`

Handle calls from the hooks of Agentic IDEs.

zenable hook [OPTIONS]

This command is specifically designed for IDE integrations like Claude Code and Cursor. It reads hook input from stdin, processes the files, and returns appropriate exit codes and formatted responses for the IDE to handle. To manually run a scan, use the check command instead.

Options

Option	Description
`-h`, `--help`	Show help message

Reverted files are not reviewed. When an agent modifies a file and then reverts it back to match the base branch (e.g., via git checkout), the hook will report “No files to process” because there is no net change compared to the base branch. This is expected behavior — Zenable reviews the diff, not individual edits, so if the final state matches what’s already on the base branch, there’s nothing new to review.

Authenticate with Zenable via OAuth.

zenable login

Opens a browser to complete the OAuth authentication flow. Credentials are cached locally for future commands. If already authenticated, skips re-authentication.

`logout`

Clear local OAuth credentials.

zenable logout [OPTIONS]

Options

Option	Description
`--all`	Also open Auth0 logout in browser to end remote session

`sync`

Sync guardrails from Zenable to local disk.

zenable sync

Downloads and caches semgrep guardrails locally for faster conformance checks. Uses ETag-based caching to avoid re-downloading unchanged guardrails. Requires authentication.

`logs`

View zenable logs.

zenable logs [OPTIONS]

Options

Option	Description
`-f`, `--follow`	Follow log output (like `tail -f`)
`-r`, `--raw`	Show raw log entries instead of just messages
`-n`, `--lines INTEGER`	Number of lines to show (from end of file, default: 50)
`--clear`	Clear the log file (cannot be used with other options)
`-h`, `--help`	Show help message

Examples

# View recent logs
zenable logs

# Follow logs in real-time
zenable logs --follow

# Show last 50 lines
zenable logs -n 50

# Clear logs
zenable logs --clear

`doctor`

Diagnose and troubleshoot installation and client issues.

zenable doctor

Displays diagnostic information including OS details, terminal environment, Zenable environment variables (sensitive values redacted), dependency status, authentication state, and recent log entries.

`version`

Show the zenable version.

zenable version

Will also notify you if an update is available.

Configuration Files

MCP Server Configuration

The tool creates MCP server configuration in IDE-specific locations, appropriate for that individual IDE. For instance:

{
  "mcpServers": {
    "zenable": {
      "type": "http",
      "url": "https://mcp.zenable.app/"
    }
  }
}

Hook Configuration (Claude Code)

Hooks are configured in Claude Code settings (.claude/settings.json):

{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Write|Edit|MultiEdit",
        "hooks": [
          {
            "type": "command",
            "command": "zenable hook"
          }
        ]
      }
    ]
  }
}

Hook Configuration (Cursor)

Hooks are configured in Cursor hooks file (.cursor/hooks.json):

{
  "version": 1,
  "hooks": {
    "afterFileEdit": [
      {
        "command": "zenable hook"
      }
    ]
  }
}

Exit Codes

Code	Meaning
0	Success
2	Conformance issues found
3	Handler conflict
4	No hook input
12	No files specified
13	No files found
14	File read error
15	Invalid parameters
16	File write error
20	API error
21	Authentication error
51	Installation error
52	Partial success
130	User interrupt

File Patterns

Glob Pattern Examples

# All Python files recursively
'**/*.py'

# Multiple extensions
'**/*.{js,ts,jsx,tsx}'

# Specific directory
'src/**/*.py'

# All files in current directory
'*'

# All files recursively
'**/*'

# Specific depth
'*/*.py'  # One level deep
'*/*/*.py'  # Two levels deep

Common Exclusions

# Python
--exclude '**/{__pycache__,venv,.venv,migrations}/**'

# JavaScript/Node
--exclude '**/{node_modules,dist,build,.next}/**'

# General
--exclude '.git/**'
--exclude '**/*.min.js'
--exclude '**/*.map'
--exclude '**/vendor/**'

Troubleshooting

Debug Mode

Enable debug output for troubleshooting:

# Maximum verbosity
zenable -vv install

# Run a check with verbose output
zenable -v check '**/*.py'

# View debug logs
zenable logs --lines 100

# Run diagnostics
zenable doctor

Dry Run Mode

Preview changes without applying:

# Preview installation
zenable install --dry-run

# Preview with specific IDE
zenable install mcp cursor --dry-run

*Continue users may experience issues until Continue adds support for streamable HTTP.

Overview

Integrations

IDE Installation Guides

Tools & Reference

Use Cases

​Overview

​Global Options

​Commands

​install

​Options

​Subcommands

install mcp

install hook

Options

​Examples

​check

​Arguments

​Options

​Configuration

Example

​Examples

​hook

​Options

​login

​logout

​Options

​sync

​logs

​Options

​Examples

​doctor

​version

​Configuration Files

​MCP Server Configuration

​Hook Configuration (Claude Code)

​Hook Configuration (Cursor)

​Exit Codes

​File Patterns

​Glob Pattern Examples

​Common Exclusions

​Troubleshooting

​Debug Mode

​Dry Run Mode

​See Also

Overview

Global Options

Commands

`install`

Options

Subcommands

`install mcp`

`install hook`

Examples

`check`

Arguments

Options

Configuration

Examples

`hook`

Options

`login`

`logout`

Options

`sync`

`logs`

Options

Examples

`doctor`

`version`

Configuration Files

MCP Server Configuration

Hook Configuration (Claude Code)

Hook Configuration (Cursor)

Exit Codes

File Patterns

Glob Pattern Examples

Common Exclusions

Troubleshooting

Debug Mode

Dry Run Mode

See Also